IT Auditing VIP

8/13/2019 IT Auditing VIP

1/49

CONTENTS

1. Introduction on IS Audit

1.1. Introduction

1.2. Audit Objectives

2. Audit in Computerized Environment

2.1. Understanding o Computerized Environment

2.2. Accounting Inormation S!stems in Computerized Environment

2.". Impact o IT on Economics o Auditing

2.#. Concept o Securit!

2.$. IS %anagement

2.&. Avai'abi'it! o Inormation S!stems

2.(. Access Contro'

2.). *atabase %anagement

2.+. App'ication Contro's and t,eir -unctioning

2.1. Eva'uation o /usiness 0iss

2.11. Conversion Audit

". Audit Organization and %anagement

".1. Organization Strateg!

".1.1. iring T,e 0ig,t 3eop'e

".1.2. Improving Audit 3rocesses

3.1.3. -ocusing on Co''aboration

".2. IS Audit as 0evie4 o %anagement

#. 0is /ased Audit -rame4or

#.1. Introduction to t,e 0is based Audit -rame4or 50/A-6

#.1.1. 7,at is an 0/A-

#.1.2. 7,! do 4e need 0/A-8

#.1.". *eve'opment and Imp'ementation o t,e 0/A-

#.1.#. 3'anning and 3reparing an 0/A-

#.2. Components o an 0/A-

#.2.1. Introduction


2/49

#.2.2. 0o'es 0esponsibi'ities and 0e'ations,ips

#.2.". 3rogram 3roi'e

#.2.#. 0is Assessment and %anagement Summar!

#.2.$. 3rogram %onitoring and 0ecipient Auditing

#.2.&. Interna' Auditing

#.2.(. 0eporting Strategies

#.". 0/A-9 0%A- Integration

$. Audit Standards

$.1. Code o 3roessiona' Et,ics

$.2. IS Auditing Standards

$.". IS Auditing :uide'ines

&. Use o Computer Assisted Audit Tec,ni;ues 5CAAT6

&.1. /acground

&.2. 3'anning

&.". 3erormance o Audit 7or

&.#. CAATs *ocumentation

&.$. 0eporting


3/49

1. Introduction on IS Audit

1.1 Introduction

The Working Group on Information Systems Security for the Banking and Financial

Sector constituted by Resere Bank of India enumerated that each Bank in the country

should conduct Information Systems !udit "olicy of the Bank# !ccordingly Information

Systems !udit and Security cell prepare Information Systems !udit "olicy# The

fundamental principle is that risk and controls are continuously ealuated by the o$ners%

$here necessary% $ith the assistant of IS !udit function#

The business operations in the Banking and Financial sector hae been increasingly

dependent on the computeri&ed information systems oer the years# It has no$ become

impossible to separate information Technology from the business of the banks# There is

a need for focused attention of the issues of the corporate goernance of the information

systems in computeri&ed enironment and the security controls to safeguard information

and information systems# The deelopments in Information Technology hae a

tremendous impact on auditing# Well'planned and structured audit is essential for risk

management and monitoring and control Information systems in any organi&ation#

1.2 Audit Objectives

!uditing is a systematic and independent e(amination of information systems

enironment to ascertain $hether the ob)ecties% set out to be achieed% hae been met

or not# !uditing is also described as a continuous search for compliance# The ob)ectie

of the IS audit are to identify risks that an organi&ation is e(posed to in the computeri&ed

enironment# IS audit ealuates the ade*uacy of the security controls and informs the

management $ith suitable conclusions and recommendations# IS audit is an

independent subset of the normal audit e(ercise# Information systems audit is anongoing process of ealuating controls+ suggest security measures for the purpose of

safeguarding assets,resources% maintaining data integrity% improe system effectieness

and system efficiency for the purpose of attaining organi&ation goals# Well'planned and

structured audit is essential for risk management and monitoring and control of

information systems in any organi&ation#


4/49

1.2.1 Saeguarding IS assets

The Information systems assets of the organi&ation must be protected by a system of

internal controls# It includes protection of hard$are% soft$are% facilities% people% data%

technology% system documentation and supplies# This is because hard$are can be

damaged maliciously% soft$are and data files may be stolen% deleted or altered and

supplies of negotiable forms can be used for unauthori&ed purposes# The IS auditor $ill

be re*uire to reie$ the physical security oer the facilities% the security oer the

systems soft$are and the ade*uacy of the internal controls# The IT facilities must be

protected against all ha&ards# The ha&ards can be accidental ha&ards or intentional

ha&ards#

1.2.2 %aintenance o *ata Integrit!

-ata integrity includes the safeguarding of the information against unauthori&ed addition%

deletion% modification or alteration# The desired features of the data are described here

under.

a# !ccuracy. -ata should be accurate# Inaccurate data may lead to $rong decisions

and thereby hindering the business deelopment process#

b# /onfidentiality. Information should not lose its confidentiality# It should be

protected from being read or copied by anyone $ho is not authori&ed to do so#

c# /ompleteness. -ata should be complete

d# Reliability. -ata should be reliable because all business decision are taken on

the basis of the current database#

e# 0fficiency. The ratio of the output to the input is kno$n as efficiency# If output is

more $ith the same or less actual input% system efficiency is achieed% or else

system is inefficient# If computeri&ation results in the degradation of efficiency%

the effort for making the process automated stands defeated# IS auditors are

responsible to e(amine ho$ efficient the application in relation to the users and

$orkload#


5/49

2. Audit in Computerized Environment

2.1. Understanding Computerized Environment

In this section $e e(plain ho$ a computeri&ed enironment changes the $ay business is

initiated% managed and controlled#

Information technology helps in the mitigation and better control of business risks% and at

the same time brings along technology risks# /omputeri&ed information systems hae

special characteristics% $hich re*uire different types of controls# Technology risks are

controlled by General IS controls and business risks are controlled using !pplication

controls# 0en though the controls are different% the ob)ecties of the audit function do

not change $hether information is maintained in the computeri&ed enironment or a

manual enironment+ the tools and techni*ues are different#

The changes in control and audit tools as $ell as techni*ues hae resulted in ne$

methods of audit# The internal controls are mapped onto the technology# These controls

and their mapping need to be understood as also methods to ealuate and test these

controls# The auditor must learn ne$ skills to $ork effectiely in a computeri&ed

enironment# These ne$ skills are categori&ed in three broad areas.

First% understanding of computer concepts and system design+

Second% understanding the functioning of !ccounting Information System 1!IS2%

an ability to identify ne$ risks and understand ho$ the internal controls are

mapped on to the computers to manage technology and business risks#

Third% kno$ledge of use of computers in audit#

!c*uisition of these skills has also opened up ne$ areas of practice for auditors like

Information System !udit% Security /onsultancy% Web !ssurance% etc#

2.2. Accounting Inormation S!stems in Computerized Environment

In this section $e bring out the fact that !ccounting Information System in the manual

and computeri&ed enironment is not the same#


6/49

In the computeri&ed enironment accounting records are kept in computer files% $hich

are of three types% namely master file% parameter file and transaction file# This

classification is not based on the types of records but on the basis of need and

fre*uency of updation and leel of security re*uired# File and record security is

implemented using the facilities proided by the operating system% database and

application soft$are#

With the increasing use of information systems% transaction'processing systems play a

ital role in supporting business operations# !nd many a times% a T"S is actually !IS#

0ery transaction processing system has three components3input% processing and

output# Since Information Technology follo$s the GIG4 principle% it is necessary that

input to the system be accurate% complete and authori&ed# This is achieed by

automating the input# ! large number of deices are no$ aailable to automate the inputprocess for a T"S# There are t$o types of T"S3Batch processing and 4n'line

processing# The documents% control and security implementation is different for each

system#

/4BIT 1/ontrol 4b)ecties for Information Technology2 is an internal control frame$ork

established by IS!/! for an information system# /4BIT can be applied to the

!ccounting Information System# To apply the /4BIT frame$ork an organi&ation should

-efine the information system architecture

Frame security policies

/onduct technology risk assessment

Take steps to manage technology risks like

o -esigning appropriate audit trails+ proiding systems% soft$are security+

5aing a business continuity plan+ 6anaging IS resources like data%

applications and facilities+ "eriodically assessing the ade*uacy of internal

controls and obtaining independent assurance for the information system#

Thus% $e e(plain the functioning of typical sales% purchase and pay roll accounting

system in a computeri&ed enironment# In particular% $e focus on the inputs re*uired%

application control% processing% reports generated% e(ception reports% files used and

standing data used#


7/49

To enable an auditor to understand the accounting information system so that he can

collect audit eidence% $e hae coered flo$charting techni*ues too#

2.". Impact o IT on Economics o Auditing

In this section $e hae discussed the impact of IT on the nature and economics of

auditing# With the emerging areas of practice and the auditors haing ac*uired IT skills%

the economics of auditing hae also changed# -uring the past three decades% IF!/ has

issued seeral releant standards for auditing in a computeri&ed enironment# These

standards coer areas like risk assessment in a computeri&ed enironment% stand'alone

computers% database systems% on'line information systems% etc# Some standards issued

for the manual enironment are also applicable here# !I/"! and IS!/! hae issued

standards coering arious areas in IS audit# Some of its standards like standards oneidence% audit planning% etc# are releant for financial auditors and find a mention in this

section#

Information Technology also impacts audit documentation% reporting% $ork papers% etc#

!uditing in a computeri&ed enironment integrates the skills and kno$ledge of traditional

auditing% information systems% business and technology risks and IT impacts auditing%

audit planning% audit risk% audit tools and techni*ues% etc# Since detection of risks can

no$ be controlled using computer assisted tools and techni*ues% oerall audit risks can

be controlled and reduced#

This risk'based audit approach starts $ith the preliminary reie$# The ne(t step is risk

assessment# 7nder the audit approach% depending upon the intensity of the use of

Information Technology% audit is done either through the computers or around the

computers# 4nce the approach is decided% the ne(t step is to assess general IS controls

and application controls# 7sing /!!Ts% the controls are assessed% eidence is collected%

ealuated and reports are prepared using the information systems#

2.#. Concept o Securit!

In this section $e discuss the concept of security in detail# IS resources are ulnerable to

arious types of technology risks and are sub)ect to financial% productiity and intangible

losses# Resources like data actually represent the physical and financial assets of the


8/49

organi&ation# Security is a control structure established to maintain confidentiality%

integrity and aailability of data% application systems and other resources#

Fe$ principles need to be follo$ed for effectie implementation of information security#

These are. !ccountability% $hich means clear apportionment of duties% responsibilitiesand accountability in the organi&ation+ /reation of security a$areness in the

organi&ation+ /ost'effectie implementation of information security+ Integrated efforts to

implement security+ "eriodic assessment of security needs+ and Timely implementation

of security#

Information security is implemented using a combination of General IS controls and

application controls# General IS controls include implementation of security policy%

procedures and standards% implementation of security using systems soft$are% business

continuity plan and information systems audit#

Besides% arious other types of controls are also used for implementation like. Framing

and implementing security policy+ enironmental% physical% logical and administratie

controls+ "hysical controls including locks and key% biometric controls and enironmental

controls+ 8ogical controls like access controls implemented by the operating systems%

database management systems and utility soft$are are implemented through sign'on

procedures% audit trail% etc+ !dministratie controls like separation of duties% security

policy% procedures and standards+ disaster recoery and business continuity plans+

information systems audit% etc#

2.$. IS %anagement

Information systems audit is a process to collect and ealuate eidence to determine

$hether the information systems safeguard assets% maintain data integrity% achiee

organi&ational goals effectiely and consume resources efficiently#

The common element bet$een any manual audit and IS audit is data integrity# !ll types

of audits 1information audits2 hae to ealuate the data integrity# Since IS audit inoles

efficiency and effectieness% it includes some elements of management and proprietary

audit too#


9/49

IS audit ealuates the IS management function# !ccording to /4BIT% there are fie IS

resources# "eople% application systems% technology% data and facilities# The IS

management function can be diided into four phases% like any other management

function#

6anagement 1$hich is e*uialent for planning and organi&ation2

Implementation and deployment

-irecting and controls

!udit and monitoring#

In this section% $e discuss the most important actiities and controls for each of the

resources during each phase of information systems management# We also discuss

$hat an IS auditor $ould like to reie$ during each phase for each resource#

!ll said and done% it should neer be forgotten that the heart of IS audit is the systems

audit% $hich reie$s the controls implemented on the system using systems soft$are#

Systems audit is a sub)ect of skills ac*uisition and not kno$ledge ac*uisition# Included is

a sample checklist for 79I: audit in the section#

2.&. Avai'abi'it! o Inormation S!stems =s% decided to use 8otus 9otes as its $orld$ide standard for

group$are# Since then% internal audit has built a number of databases for audit

processes using 8otus 9otes# With this base% the internal audit group has

deeloped and used the follo$ing tools% all accessible $orld$ide.

080/TR49I/ W4RC"!"0RS

Incorporated into processes in late >% theyAe e(panded oer the years and

are used in a different format by internal audit $orld$ide# These include separate

sections $ithin the $orkpapers for process flo$ documentation% interie$s% key

document descriptions% and een logistics information#

B0ST "R!/TI/0S -!T!B!S0

!n important tool to cross'pollinate successful practices as auditors trael fromlocation to location% it represents top processes of companies as identified by

auditors#

TI60C00"I9G


19/49

The database can be @sliced and diced@ to analy&e hours or days by )ob% audit

actiity% and auditor# It also can accumulate billing data as $ell as perform many

other functions#

0'6!I8

Includes electronic distribution of audit reports#

R0F0R09/0 -!T!B!S0

8ocated $ithin the group% the Internal /ontrol -ocuments database includes past

audit reports% audit follo$'up analyses% audit report distribution lists% key

document templates% presentations% minutes of information sharing staff

meetings% and other reference information#

!7-IT "R!/TI/0S R0F0R09/0 "R4GR!6S

/ompiled by area#

!7-IT 6!9!G0609T !9- !7-IT "R4GR0SS -!T!B!S0S

7sed for internal administration of audits '' audit numbers% location data% team

members% status% audit follo$'up% and more '' these databases are also aailable

to company management as a status of planned and actie audits#

6!97F!/T7RI9G !9- S7""8H 6!9!G0609T T448 CITS

Repositories of data and techni*ues for these areas#

I9T0R9!8 G7I-08I90S

Instructions for the operation of the audit group#

/46"!9HWI-0 "48I/I0S !9- "R4/0-7R0S

!ccounting and reporting guidelines for all of #

/4R"4R!T0 -!T!B!S0S

Includes electronic e(pense reporting and ne$s releases#

In addition% the auditors deeloped a kit of templates for key audit documents#

The kit includes Word and 0(cel frame$ork documents% such as audit


20/49

engagement letters% audit reports% management action plans replying to audit

reports% auditor )ob performance ealuations% and the audit *uality *uestionnaire

sent to customers follo$ing an audit#

internal audit has also made e(tensie use of the Internet# The $orld$ide Web

site has a tremendous olume of data% $hich includes eerything from

companies% products% and locations to employee benefit forms# Internal auditing

designed its corner of the Web site to market and e(plain its actiities and to

present employment opportunities#

These electronic platforms hae made a tremendous difference to auditors in

terms of accessibility and ease of use of information% cycle'time reduction% and

aailability of reference material# These efficiencies hae enabled the internal

audit group to be more productie and to better sere its customers# 0lectronic

platforms remoe barriers of time% geography% and space limitations# !rmed $ith

skilled personnel% effectie processes% and supportie electronic platforms% the

auditors are ready to better partner $ith their customers#

".1." -ocusing on Co''aboration

By listening and offering adice on business and control issues on a continuous

basis% the senior internal audit team has created an effectie net$ork $ith senior

management# The auditors add alue by proiding not only $hat clients are

seeking but also $hat they may need% een if they are not a$are of it# The

auditors strie for a $in'$in enironment by deliering a good mi( of both#

performs a $orld$ide risk assessment on $hich it bases its audit plan#

/ontinuous collaboration and one'on'one meetings enable the auditors to

analy&e risk on an on'going basis and e(pose hidden issues# These meetings% if

they set the right $in'$in tone% can be frank e(pressions of needs by both parties

to accomplish their respectie tasks# !uditors recogni&e that the highest leel of

acceptance has been reali&ed $hen customers call them for operational% control%

and other corporate goernance adice#Generally during these meetings% a formal agenda '' beginning $ith recent key

audits and future risks '' $orks best# The auditors $ork through these issues at a

*uickened pace% but $hen a nere is hit% the auditors and management tackle it

together# The auditors use arious handouts '' such as portions of audit and risk

analysis reports '' and other documentation to keep senior management focused


21/49

on $here they are headed in the larger enironment# 6anagementAs comments

and concerns are carefully noted and integrated into the audit plan fre*uently#

The auditorsA goals are to add alue% to be timely% and% in times of trouble% to

aoid the *uestion. @Where $ere the auditors@ Being proactie $ith senior

management helps preent a @$itch hunt@ aimed at internal auditing $hen

something goes $rong#

The auditors further the collaboration effort by follo$ing up on past audits%

$hether it be in'person% by e'mail% or by telephone# Internal auditors can prioriti&e

ne$ and potential ac*uisitions of companies% some of $hich may be small% for

reie$#

By integrating people% audit processes% electronic platforms% and focused

collaboration $ith senior management% audit groups can become $orld'class

organi&ations# 9o one factor $ill do the task alone# The synergies of integrating

these elements produce a compelling enironment that fosters e(cellence# !ny

uccessful program must be ongoing and focused on continuous change# Seeking

$orld'lass status is a neer ending )ourney and not simply a destination along the

$ay#

".2 IS Audit as 0evie4 %anagement

The ob)ecties of an information system audit are to obtain reasonable assurance

that an organi&ation safeguards it data processing assets% maintains data integrity

and achiees system effectieness and efficiency# In conducting an audit there

are fie ma)or phases% planning the audit% test of controls% tests of transactions%

tests of balances or oerall results% and completion of the audit# This report looks

at ho$ the nature of the organi&ation and its use of generali&ed application

soft$are affect the conduct of each of the phases#


22/49

The organi&ation is a medium'si&e automotie sericing firm# The organi&ation uses a

local area net$ork consisting of three microcomputers running soft$are application

packages# The microcomputers are placed in different locations for different functions#

It runs application soft$are packages that are $ell kno$n% $ell tested% and supplied by a

reputable endor# !ll the applications are relatiely straightfor$ard#

!uditing must be properly planned to achiee the results that both auditors and the

organi&ation are looking for# In this first phase% planning the audit% the auditor needs to

obtain an understanding of the accounting and internal control systems so as to plan the

audit# The auditor should obtain an understanding of the comple(ity of the information

system and also ho$ the information system enironment influences the assessment of

inherent and control risks#

The auditor should start by conducting interie$s $ith top management and information

system personnel to gather information for the audit# The auditor must obsere actiities

being carried out $ithin the information system function% reie$ $orking papers from

prior audits and reie$ information system documentation# The auditor needs to reie$

the information collected so as to hae a good understanding of all the controls that e(ist

$ithin the organi&ation# Reie$ing the information system control procedures $ill help to

ealuate the risks to the integrity of accounting data presented in the financial reports#


23/49

The soft$are used by the organi&ation is $ell kno$n% $ell tested% and supplied by a

reputable endor# The application soft$are packages are already diided by the

functions they perform% thus simplifying comple(ity issues for the audit# Gien the fact

that the application is $ell tested by the endor% it can be implied that computer controls

are in effect and should be ery effectie# Therefore% auditor needs to concentrate on

the user controls that are in place to see ho$ they can be improed# T$o ma)or control

issues $ere raised in the case% that of modifications to the soft$are and access to the

central database# The general manager has gien the assurance that no modifications

$ere made to the soft$are% and that no staff member has computer kno$ledge needed

to carry out modifications to the soft$are# This may be true but controls must be in place

to ensure that no modifications are made $ithout proper authority# !de*uate controls

must e(ist oer the source code% ob)ect code and documentation of the package# It is

mentioned that there is controlled access to the central database# The auditor must

e(amine these controls since unauthori&ed access to databases can )eopardi&e the

integrity of data#

Some other controls that the auditor should check are systems that allo$ secure issue of

or choice of pass$ords% correct alidation of pass$ord% secure storage of pass$ord and

follo$ up on illicit use of pass$ords# There should be controls for unauthori&ed%

inaccurate% incomplete% redundant% ineffectie or inefficient inputs entered in the system#

Input program should identify incorrect data entered and the program should use special

code to correct data corrupted because of noise in a communication line# The local

area net$ork is ery small% consisting of only three microcomputers but it still needs

protection against natural threats and physical disasters thus it is necessary to protect

the local area net$ork#


24/49

If controls are in place and are $ell designed and applied the risk e(ist that the auditor

$ill fail to detect actual or potential material losses or account misstatement at the end of

the audit# !uditors must determine the audit risk# In deciding the leel of inherent risk

the auditor need to take into account that the organi&ation is a medium'si&ed firm in an

industry that is not sub)ect to rapid changes# The industry is not sub)ect to many treats

and $ould not normally be a target for abuse# In this light it can be assumed that the

inherent risk $ill be lo$# To determine the control risk the auditor should look at

management and application controls# 6anagement controls should be looked at first

since if management controls are good there should be little need to go into in'depth

application controls# If management enforces high *uality documentation standards then

it is unlikely that the auditor $ill hae to reie$ the documentation for each application#

Gien that the soft$are is $ell kno$n and $ell tested% the application controls should be

strong# Therefore the control risk should also be ery lo$ for the organi&ation#

!t this point it can be concluded that the auditor should audit around the computer# The

reasons for this are firstly the applications are relatie straightfor$ard and simple#

Second% it is more cost effectie to audit around the computer $hen a generali&e

application soft$are is being used# The application soft$are $as proided by a

reputable endor and is $ell tested% and the application has not been modified according

to the general manager# Thirdly% since the package is $ell tested a high reliance is

placed on user controls rather than computer controls# Thus there is no need to go

through testing of processing logic and control in an application that is already tested by

the endor# This $ould re*uire technical e(pertise to duplicate a task performed by a

reputable endor#


25/49

In the second phase% test of controls% the auditor should go into more detail in reie$ing

the documentation of processes and analysis of the information the auditor is interested

in# /ontrols should be analy&ed for faultiness of defect# 7ser and computer controls

should be tested# Since the application is $ell tested% testing should focus on the

reliability of user controls rather than the reliability of computer controls# Some of the

controls that should be tested during this phase are+ unauthori&ed% inaccurate%

incomplete% redundant% ineffectie or inefficient inputs entered in the program+ output

should be complete and accurate and distributed promptly to the correct recipient+

secure issue or choice of pass$ords% correct alidation of pass$ord% secure storage of

pass$ord and follo$ up on illicit use of pass$ords+ segregation of duties+ aailability of

up'to'date backups% iable of up'to'date backups% $hereabouts of backup storage units

and usable restore system+ reporting% recording and resoling incidents and operational

failures+ and continuity controls#

In the third phase% test of transactions% testing should be centered on checking to see if

material loss or account misstatement has occurred or might occur due to erroneous or

irregular processing of a transaction# The application soft$are is straight for$ard $ith

the necessary built in controls in place therefore there is no need to go through the entire

system looking for transaction errors# The auditor should take a fe$ transactions and

trace them from beginning to ending process to erify $eather transactions are handled

effectiely and efficiently#

In the fourth phase% testing of balances or oerall results% the purpose is to gather

sufficient eidence to make a final )udgment on the si&e of the losses or account

misstatements that might hae occur or might occur $hen the information system

function fail to safeguard assets% maintain data integrity% and achiee system

effectieness and efficiency# If auditors find that computer controls are $eak or

none(istent they $ill need to do more substantie testing on detailed test of transactions

and account balance#


26/49

5o$eer% in this case the endor tested all computer controls and it is safe to assume

that the controls are strong and this eliminates the need for the auditors to conduct more

substantie testing# Selling of spare parts is a one of the ma)or reenue earner for the

organi&ation# In this light this auditors should conduct a physical inentory of the spare

parts to erify that the physical count and computer application count are the same#

4ther tests that can be done are to recalculate depreciation on fi(ed assets% and

confirmation of receiables#

In the fifth phase% completion of the audit% additional test to bring the audit to a close are

generally conducted# These include reie$s for subse*uent eents and contingent

liabilities# The auditor must then formulate an opinion as to $eather material loss or

account misstatements hae occurred and issue a report# The auditor should proide

management $ith a report documenting control $eaknesses+ identify potential

conse*uences of these $eaknesses and recommendations for remedial actions# It $as

notice that no controls are in place against unauthori&ed program changes% in that case

auditors must note that $eakness% letting management kno$ that unauthori&ed changes

can destroy the functionality of the application and suggest $ays of elimination that treat#

Some recommendations the auditor can make are as follo$s+ the need to strengthen

security for the organi&ations information assets by deeloping disaster recoery plans

and business continuity plans+ reie$ing of technical staffs access to programs and

data+ track of staff actiities+ limiting the files and other resources authenticated users

can access and actions $hich they can e(ecute+ and deelopment of internal controls to

ensure against authori&ed program changes#

There is no right or $rong approach to conducting an information system audit# There

are factors that must be taken into account during the planning phase of the audit+ these

factors determine the approach the auditor takes# !s $as seen in this case% the fact that

it $as a medium'si&e% lo$ risk organi&ation using a generali&ed application soft$are that$as not modified $ere the main factors that determined the approach that $ould be

taken by the auditor#


27/49

#. 0is /ased Audit -rame4or

#.1 Introduction to t,e 0is=/ased Audit -rame4or= While management has oerall responsibility for the

RB!F% I! is responsible for employing a risk'based approach in establishing $hether the

oerall transfer payment program should be sub)ect to audit# !s such% I! should

complete the Internal !uditing section PSection #= of the RB!F# 6anagers and I!

should consult as soon as the RB!F re*uirement had been identified# They should reach

an agreement on the collaboration needed to complete the Recipient !uditing and

Internal !uditing sections of the RB!F# To facilitate a common understanding of

compliance and ongoing monitoring re*uirements% it may also be beneficial to articulate

recipients roles and responsibilities for meeting contribution agreement terms and

conditions#

c6 3roduct ! statement of roles% responsibilities and relationships bet$een "T"

management% I! and recipients#

#.2." 3rogram 3roi'e

a6 3urpose The "rogram "rofile should proide the conte(t and the key areas of

inherent risk 1Cey Risk !reas2 that eole from the transfer payment programs

ob)ecties and enironment# 4erall% the profile assists the manager in.


32/49

KLmeeting good goernance e(pectations through a sound understanding of the

accountability and risk management enironment+ and

KLconducting a more efficient and effectie detailed identification and assessment

of risk for the Risk !ssessment and 6anagement Summary in the ne(t RB!F

component#

b6 3rocess The "rogram "rofile should be deeloped $ith reference to the

organi&ations outcomes and design information that has been compiled during recent

business planning and the deelopment of the R6!F# !s a first step in the process% the

M"erformance "rofileO and other pertinent R6!F data should be erified $ith

participating managers# /learly articulated ob)ecties and conte(t $ill proide the basis

for further internal and e(ternal enironmental analysis and identification of the Cey Risk

!reas that eole from the mandate# In this conte(t% for ongoing programs% any recent

internal audit or ealuation should be described% particularly the effect that their results

may hae had on the program# In the case of a small% uncomplicated program% the

"rofile can be deeloped by the manager alone# 5o$eer% as the comple(ity and

magnitude of the program increases% greater detail $ill be re*uired from key

kno$ledgeable stakeholders to ensure all Cey Risk !reas are identified and ade*uately

described# Cno$ledgeable stakeholders include e(perienced program staff% internal

audit and ealuation adisor1s2 and% if deemed necessary% e(ternal stakeholders# The

inolement of a risk management adisor may also be re*uired% depending on the

degree of program comple(ity#

c6 3roduct The "rofile should include.

KLthe background% underlying rationale% ob)ecties and need for the program+

KLthe target population% resources% product groups% deliery mechanisms% T"" stacking

proisions and goernance structure+ and

KLthe key internal and e(ternal areas of risk 1Cey Risk !reas2 that eole from the

legislation% mandate% program design and,or operating enironment $here there is a

potential for significant impact on performance 1i#e# anticipates% in macro terms% the $ork

to be done in the ne(t section2#

#.2.# 0is Identiication? Assessment and %anagement Summar!

The key risks should ideally be identified% assessed% and associated mitigation measures

either implemented or in progress% prior to the deelopment of the proposed Treasury


33/49

Board submission 1in the case of ne$ policy initiaties% prior to the 6emorandum to

/abinet2# If aailable% the departmental Integrated Risk 6anagement Frame$ork 1IR6F2

$ould be a primary source of reference or at least a starting point#

a) 3urpose The purpose of this component is to ensure an e(plicit understanding of

the leel of key risks# Through systematic risk identification% assessment and

deelopment of response or mitigation procedures% managers $ill ac*uire an

e(plicit understanding of all aspects of key risks# Furthermore% this component

proides insight into the main operational measures% including controls used to

mitigate key risks and thereby contributes data releant to the e(planation of

"rogram 6onitoring presented in Section ".$#

b) 3rocess The preparation of the Risk !ssessment and 6anagement Summary

section generally re*uires input from a team of managers and kno$ledgeable

staff $ithin the program area% supported by arious functional groups#

The team should carry out the follo$ing steps. 3reparation Steps

KL/onsider $ho should participate

KL/learly define risk

KL0stablish a time hori&on

KL/ustomi&e a risk matri(

KL/onsider other tool re*uirements

3rocess Steps

1. Understand Objectives

KL/learly articulate and understand the programs ob)ecties $ith reference to the

outcomes established in the R6!F 8ogic 6odel#

2. 0is Identiication

KLIdentify risk areas 1sources of risk2 related to the achieement of ob)ecties 1e#g#

eents% ha&ards% issues% lost opportunities and circumstances that could lead to an

impact on ste$ardship% deliery% outputs% outcomes% etc#2+ and

KL/onduct a preliminary intuitie analysis of the risk leel of each area 1high% medium%

lo$2 to select the risk areas that re*uire further analysis#

". 0is Assessment

KL!rticulate the particular concerns and e(isting mitigation measures for the risk

areas selected for detailed analysis+ and

KL!ssess the likelihood and impact of an undesirable effect% gien e(isting mitigation

measures% to arrie at a residual leel of risk#


34/49

#. 0is 0esponse or %itigation

KL0stablish incremental response strategies to aoid% share% transfer% accept and

manage the risk#

$. Be! 0is Summaries

KLSummari&e the Cey Risks and related particular concerns% e(isting measures% and

Incremental Risk 6anagement Strategies#

c6 3roduct The Risk !ssessment and 6anagement Summary should include.

KL! methodology section $hich e(plains the risk definition and model+

KL! brief description of the process steps follo$ed+

KLThe identification of parties inoled in the process+

KL! Risk 6atri( to e(plain the criteria and define the leels of impact and likelihood

KL!n elaboration of the Cey Risk !reas that $ere used in the "rofile section to e(plain

the oerall risk conte(t of the program+ and

KLsummaries of the Cey Risks that $ere identified including particular concerns%

e(isting mitigation measures and incremental risk response strategies% if re*uired#

#.2.$ 3rogram %onitoring and 0ecipient Auditing

a) 3urpose The purpose of this section is to proide a description of the monitoring

and recipient auditing practices% $hich are to be undertaken by management# It

should reflect the risk identification and elaboration $ork done in the preious

section+ in particular% it should reflect the mitigation 1in this case% monitoring or

recipient auditing2 of those risks for $hich the response $as to implement

controls# This section should reflect all actiities related to monitoring of the

oerall program and the recipients compliance $ith terms and conditions through

detailed operational and financial procedures#

b) 3rocess %onitoring The description of oerall monitoring should demonstrate

that management has those risks for $hich the mitigation strategy $as controls

coered by ade*uate means and measures# Typical monitoring ob)ecties $ould

include.

KL!chieement of established outputs,outcomes+

KLRisks or impediments to the achieement of outputs,outcomes+

KL-ue diligence in determining eligibility of recipients and the e(penditures of

funds+


35/49

KLThe efficient% effectie and economical use of resources% and

KLWhether or not the program is being administered in accordance $ith

appropriate terms and conditions at all stages of the transfer payment life cycle

1i#e# selection% administration% deliery and reporting2#

The description of detailed monitoring of compliance should outline the operational

and financial procedures% including.

KLInterie$s and documentation reie$s to assess milestone achieements+

KL0(pense claim erification procedures+

KLStacking re*uirements erification procedures+ and

KLReie$s of recipient financial statements#

The e(isting and incremental mitigation measures for key risks% included in the

"rogram Risk !ssessment% Identification and 6anagement Summary section%

proide releant and current information for the preparation of the oerall monitoring

section# The Results'based 6anagement and !ccountability Frame$ork 1R6!F2

should also proide releant information $ith regard to monitoring the achieement

of outcomes#

0ecipient Auditing Recipient auditing is often the only effectie $ay to establish.

KLThat funds $ere used for intended purposes+

KL/ompliance $ith terms and conditions+ and

KLReliability of results data#

Recipient !uditing is applicable to contribution agreements due to their conditional

nature# In cases $here contribution agreements allo$ recipients to establish sub'

agreements% management may also choose to audit the third% fourth% etc# party

recipients sub'agreement actiities+ i#e# all the links of the chain through to the end

recipient 1and the original Terms and /onditions of the /ontribution !greement

should proide for this2# "articular attention should be paid to !lternatie Serice

-eliery 1!S-2 arrangements% i#e# $here another party deliers the funds to the end

recipient on behalf of the program manager% as this arrangement is inherently higher

risk than direct deliery to the recipient# Grant programs conduct strict eligibilitychecks before issuing grants# 5o$eer% once grants are issued% there is no further

re*uirement to erify the recipients use of funds% i#e# recipient auditing is not

applicable in this instance# The "T" sets out the re*uirement for a Mrisk'basedO

approach for determining $hether or not an audit should be conducted and if

conducted% its ob)ecties% scope and e(tent# The risk methodology used here should


36/49

be consistent $ith that used in the preious section for program risk identification%

assessment and management# In fact% the results of the risk assessment performed

in the preious section 1particularly those risk factors haing to do $ith the recipient2

should be brought for$ard and augmented% as needed% by factors that may not hae

been identified there 1e#g# kno$ledge of the recipient kno$n by the Finance or

Internal !udit groups% but not to the program manager2 and further augmented by

Maudit riskO factors 1i#e# risk factors haing to do $ith the possibility of the auditor

dra$ing the $rong conclusion U concluding that all is $ell $hen it is not or that all is

not $ell $hen it% in fact% is2#

This section should describe the process used for deciding on and planning recipient

audits% considering the follo$ing steps.

># !udit 4b)ecties

KL0stablish the audit ob)ecties to erify compliance $ith terms and conditions and% if

re*uired% the reliability of results data#


37/49

a6 3urpose !n internal audit of a transfer payment program can proide aluable

assistance to management by proiding assurance as to the soundness of the risk

management strategy and practices% the management control frame$ork and

practices and the information being used for decision making and reporting#

Specifically% internal audits may e(amine $hether.

KL-ue diligence is e(ercised $ith regard to the e(penditure of public funds+

KLThe program is administered in accordance $ith the terms and conditions of the

funding authority+ KLReleant legislation and policy 1e#g# Sections D


38/49

KL! description of the results of any recent internal audits performed+

KL!nticipated audit ob)ecties% scope timing and e(pected cost% in cases $here the

need for an audit has been affirmed by I!+ and

KL! description of the risk'based audit planning methodology used for all

departmental programs 1including Transfer "ayment "rograms2+

KLIf it is decided that no internal auditing $ill be performed% there should be an

e(planation of that decision#

#. 2.( 0eporting Strategies

a) 3urpose The final component of the RB!F ensures that plans are in place to

systematically report 1both internally and e(ternally2 on the results of ongoing

monitoring% recipient auditing internal auditing and ealuation# 19ote% if reporting

of ealuation results is already proided for in the R6!F% it may simply be copied

here for completeness purposes2#

b) 3rocess There are many potential users of this information and the reporting

strategy should consider all of their needs 1e#g# management decision'making%

accountability and communication,information sharing2# "otential users of risk

information include program management% central agencies and internal and

e(ternal stakeholders#

c) 3roduct!t the minimum% the reporting strategy should include a description of.

KL"eriodic reports $hich are produced for monitoring purposes+

KL!greed upon recipient audit reports+

KL0aluation reports+

KLInternal audit reports that $ill be proided+

KLWho is responsible 1especially $hen multiple parties are inoled2 for producing

reports+ and KLThe mechanisms 1e#g# annual progress reports% mid'term reports%

-epartmental "erformance Reports2 and timeframes for reporting on operational

monitoring% recipient and internal audits to the lead department% TBS% TB

6inisters and,or "arliament#

#." 0/A-9 0%A- Integration

/eneits o Integrated 3erormance and 0is Assessment and 0eporting


39/49

The "T" also re*uires that management deelop a Results'Based 6anagement

and !ccountability Frame$ork 1R6!F2 to proide measurement and ealuation

strategies for assessing the performance of a transfer payment program# The

RB!F and R6!F are complimentary documents that proide managers $ith the

means and measures for enhancing program monitoring and reporting# In this

regard% the RB!F and R6!F hae natural points of integration that relate to the

typical analytical and planning approaches used by managers to monitor

program operations and performance# For e(ample% it is *uite natural for program

managers to simultaneously contemplate performance and risk issues $hen

considering $hether or not program ob)ecties $ill be achieed# This integrated

thinking facilitates the deelopment of practices and procedures that fulfil the

dual function of promoting the achieement of ob)ecties and mitigating risks to

performance# The links bet$een performance and risk% including data collection

elements 1baseline data2 and control frame$orks% should be considered at the

beginning of the program lifecycle# This integrated approach $ill assist in clearly

identifying all ob)ecties% the program conte(t as $ell as potential internal and

e(ternal risks to the achieement of ob)ecties# In this regard% it is recogni&ed

that the RB!F must be Mrisk sensitieO and that the R6!F must be Mperformance

sensitieO% i#e# linking risk to the program outcomes and performance

measurement strategies#


40/49

$. IS Audit Standards

$.1 Code o 3roessiona' Et,ics

The Information Systems !udit and /ontrol !ssociation% Inc# 1IS!/!2 sets forth this

Code of Professional $thics to guide the professional and personal conduct of members

of the !ssociation and,or its certification holders#

6embers and IS!/! /ertification holders shall.

># Support the implementation of% and encourage compliance $ith% appropriate

standards% procedures and controls for information systems#


41/49

globally applicable standards to meet its ision# The deelopment and dissemination of

the IS !uditing Standards are a cornerstone of the IS!/! professional contribution to

the audit community# The frame$ork for the IS !uditing Standards proides multiple

leels of guidance.

Standards define mandatory re*uirements for IS auditing and reporting# They inform.

U IS auditors of the minimum leel of acceptable performance re*uired to meet the

professional responsibilities set out in the IS!/! /ode of "rofessional 0thics for IS

auditors

U 6anagement and other interested parties of the professions e(pectations

concerning the $ork of practitioners

U 5olders of the /ertified Information Systems !uditor 1/IS!2 designation of

re*uirements# Failure to comply $ith these standards may result in an inestigation

into the /IS! holderAs conduct by the IS!/! Board of -irectors or appropriate

IS!/! committee and% ultimately% in disciplinary action#

Guidelines proide guidance in applying IS !uditing Standards# The IS auditor should

consider them in determining ho$ to achiee implementation of the standards% use

professional )udgment in their application and be prepared to )ustify any departure# The

ob)ectie of the IS !uditing Guidelines is to proide further information on ho$ to comply

$ith the IS !uditing Standards#

"rocedures proide e(amples of procedures an IS auditor might follo$ in an audit

engagement# The procedure documents proide information on ho$ to meet the

standards $hen performing IS auditing $ork% but do not set re*uirements# The ob)ectie

of the IS !uditing "rocedures is to proide further information on ho$ to comply $ith the

IS !uditing Standards#

Resources should be used as a source of best practice guidance# The /4BIT

Frame"or! states% @It is managementAs responsibility to safeguard all the assets of the

enterprise# To discharge this responsibility as $ell as to achiee its e(pectations%

management must establish an ade*uate system of internal control#@

/4BIT proides a detailed set of controls and control techni*ues for the information

systems management enironment# Selection of the most releant material in /4BIT

applicable to the scope of the particular audit is based on the choice of specific /4BIT

IT processes and consideration of /4BIT information criteria#


42/49

!s defined in the /4BIT Frame"or!% each of the follo$ing is organi&ed by IT

management process# /4BIT is intended for use by business and IT management% as

$ell as IS auditors+ therefore% its usage enables the understanding of business

ob)ecties% communication of best practices and recommendations to be made around a

commonly understood and $ell'respected standard reference# /4BIT includes.

/ontrol 4b)ecties35igh'leel and detailed generic statements of

minimum good control

/ontrol "ractices3"ractical rationales and Mho$ to implementO guidance

for the control ob)ecties

!udit Guidelines3Guidance for each control area on ho$ to obtain an

understanding% ealuate each control% assess compliance and

substantiate the risk of controls not being met

6anagement Guidelines3Guidance on ho$ to assess and improe IT

process performance% using maturity models% metrics and critical success

factors# It proides a management'oriented frame$ork for continuous and

proactie control self'assessment specifically focused on.

U "erformance measurement35o$ $ell is the IT function supporting

business re*uirements 6anagement Guidelines can be used to support

self'assessment $orkshops% and they also can be used to support the

implementation by management of continuous monitoring and

improement procedures as part of an IT goernance scheme#

U IT control profiling3What IT processes are important What are the

critical success factors for control

U !$areness3What are the risks of not achieing the ob)ecties

U Benchmarking3What do others do 5o$ can results be measured and

compared 6anagement Guidelines proides e(ample metrics enabling

assessment of IT performance in business terms# The key goal indicators

identify and measure outcomes of IT processes% and the key performance

indicators assess ho$ $ell the processes are performing by measuring

the enablers of the process# 6aturity models and maturity attributes

proide for capability assessments and benchmarking% helping

management to measure control capability and to identify control gaps

and strategies for improement#


43/49

$." IS Auditing :uide'ines

Selection of the most releant material in /4BIT applicable to the scope of the particular

audit is based on the choice of specific /4BIT IT processes and consideration of

/4BITs information criteria#

In the case of this specific audit area% Reie$ of Internet Banking% the processes in

/4BIT likely to be the most releant are. selected

Plan and &ranise IT processes% selected #c'(ire and Implement IT processes%

selected )eliver and S(pport% and selected Monitor

and $val(ate# Therefore% /4BIT guidance for the follo$ing processes should be

considered releant $hen performing the audit.

K "4>3-efine a Strategic IT "lan

K "4D3-etermine Technological -irection

K "430nsure /ompliance $ith 0(ternal Re*uirements

K "43!ssess Risk

K !I3-efine and 6anage Serice 8eels

K -S


44/49

&. Use o Computer=Assisted Audit Tec,ni;ues 5CAATs6

&.1. /acground

6.1.1 Linkage to COBIT Standards

&.1.1.1Standard == 1"erformance of !udit Work2 states @-uring the course of

the audit% the IS auditor should obtain sufficient% reliable and releant

eidence to achiee the audit ob)ecties# The audit findings and conclusions are

to be supported by appropriate analysis and interpretation of this eidence#@

&.1.1.2 Standard =Q= 1"lanning2 states @The IS auditor should plan the

information systems audit coerage to address the audit ob)ecties and to

comply $ith applicable la$s and professional auditing standards#@

&.1.1."Standard =D= 1"rofessional 0thics and Standards2 states @The IS auditor

should e(ercise due professional care% including obserance of applicable

professional auditing standards#@

6.1.2 Need for Guideline

&.1.2.1/omputer !ssisted !udit Techni*ues 1/!!Ts2 are important tools for the

IS auditor in performing audits#

&.1.2.2/!!Ts include many types of tools and techni*ues% such as generalised

audit soft$are% utility soft$are% test data% application soft$are tracing and

mapping% and audit e(pert systems#

&.1.2."/!!Ts may be used in performing arious audit procedures including.

Tests of details of transactions and balances

!nalytical reie$ procedures

/ompliance tests of IS general controls

/ompliance tests of IS application controls

"enetration testing

&.1.2.#/!!Ts may produce a large proportion of the audit eidence deeloped

on IS audits and% as a result% the IS auditor should carefully plan for and e(hibit

due professional care in the use of /!!Ts#


45/49

&.1.2.$This Guideline proides guidance in applying IS auditing standards# The

IS auditor should consider it in determining ho$ to achiee implementation of the

aboe Standards% use professional )udgment in its application and be prepared to

)ustify any departure#

&.1.2.&This guidance should be applied in using /!!Ts regardless of $hether

the auditor concerned is an IS auditor #

&.2. 3'anning

6.2.1 Decision Factors for sing C!!Ts

&.2.1.1When planning the audit% the IS auditor should consider an appropriate

combination of manual techni*ues and /!!Ts# In determining $hether to use

/!!Ts% the factors to be considered include.

/omputer kno$ledge% e(pertise% and e(perience of the IS auditor !ailability of suitable /!!Ts and IS facilities

0fficiency and effectieness of using /!!Ts oer manual techni*ues

Time constraints

Integrity of the information system and IT enironment

8eel of audit risk

6.2.2 C!!Ts "lanning Ste#s

&.2.2.1The ma)or steps to be undertaken by the IS auditor in preparing for the

application of the selected /!!Ts are.

Set the audit ob)ecties of the /!!Ts

-etermine the accessibility and aailability of the organisationAs IS

facilities% programs,system and data

-efine the procedures to be undertaken 1e#g#% statistical sampling%

recalculation% confirmation% etc#2

-efine output re*uirements

-etermine resource re*uirements% i#e#% personnel% /!!Ts% processing

enironment 1organisationAs IS facilities or audit IS facilities2

4btain access to the organisationAs IS facilities% programs,system% and

data% including file definitions

-ocument /!!Ts to be used% including ob)ecties% high'leel flo$charts%

and run instructions


46/49

6.2.$ !rrange%ents &it' t'e !uditee

&.2.".1-ata files% such as detailed transaction files% are often only retained for a

short period of time+ therefore% the IS auditor should make arrangements for the

retention of the data coering the appropriate audit time frame#

&.2.".2 !ccess to the organisationAs IS facilities% programs,system% and data%

should be arranged for $ell in adance of the needed time period in order to

minimise the effect on the organisationAs production enironment#

&.2."."The IS auditor should assess the effect that changes to the production

programs,system may hae on the use of the /!!Ts# In doing so% the IS auditor

should consider the effect of these changes on the integrity and usefulness of the

/!!Ts% as $ell as the integrity of the programs,system and data used by the IS

auditor #

6.2.( Testing t'e C!!Ts

&.2.#.1 The IS auditor should obtain reasonable assurance of the integrity%

reliability% usefulness% and security of the /!!Ts through appropriate planning%

design% testing% processing and reie$ of documentation# This should be done

before reliance is placed upon the /!!Ts# The nature% timing and e(tent of

testing is dependent on the commercial aailability and stability of the /!!Ts#

6.2.) Securit* of Data and C!!Ts

&.2.$.1Where /!!Ts are used to e(tract information for data analysis the IS

auditor should erify the integrity of the information system and IT enironment

from $hich the data are e(tracted#

&.2.$.2/!!Ts can be used to e(tract sensitie program,system information and

production data that should be kept confidential# The IS auditor should safeguard

the program,system information and production data $ith an appropriate leel of

confidentiality and security# In doing so% the IS auditor should consider the leel

of confidentiality and security re*uired by the organisation o$ning the data and

any releant legislation#

&.2.$." The IS auditor should use and document the results of appropriateprocedures to proide for the ongoing integrity% reliability% usefulness% and

security of the /!!Ts# For e(ample% this should include a reie$ of program

maintenance and program change controls oer embedded audit soft$are to

determine that only authorised changes $ere made to the /!!Ts#


47/49

&.2.$.#When the /!!Ts reside in an enironment not under the control of the IS

auditor% an appropriate leel of control should be in effect to identify changes to

the /!!Ts# When the /!!Ts are changed% the IS auditor should obtain

assurance of their integrity% reliability% usefulness% and security through

appropriate planning% design% testing% processing and reie$ of documentation

before reliance is placed on the /!!Ts#

&." 3erormance o Audit 7or

6.$.1 Gat'ering !udit +,idence

&.".1.1 The use of /!!Ts should be controlled by the IS auditor to proide

reasonable assurance that the audit ob)ecties and the detailed specifications of

the /!!Ts hae been met# The IS auditor should.

"erform a reconciliation of control totals if appropriate Reie$ output for reasonableness

"erform a reie$ of the logic% parameters or other characteristics of the

/!!Ts

Reie$ the organisationAs general IS controls $hich may contribute to the

integrity of the /!!Ts 1e#g#% program change controls and access to

system% program% and,or data files2

6.$.2 Generalised !udit Soft&are

&.".2.1When using generalised audit soft$are to access the production data% the

IS auditor should take appropriate steps to protect the integrity of the

organisationAs data# With embedded audit soft$are% the IS auditor should be

inoled in system design and the techni*ues $ill hae to be deeloped and

maintained $ithin the organisationAs application programs,systems#

6.$.$ tilit* Soft&are

&.".".1 When using utility soft$are% the IS auditor should confirm that no

unplanned interentions hae taken place during processing and that the utility

soft$are has been obtained from the appropriate system library# The IS auditor

should also take appropriate steps to protect the integrity of the organisationAs

system and files since these utilities can easily damage the system and its files#

6.$.( Test Data

&.".#.1When using test data% the IS auditor should be a$are that test data only

point out the potential for erroneous processing+ this techni*ue does not ealuate


48/49

actual production data# The IS auditor also should be a$are that test data

analysis can be e(tremely comple( and time consuming% depending on the

number of transactions processed% the number of programs tested% and the

comple(ity of the programs,system# Before using test data the IS auditor should

erify that the test data $ill not permanently affect the lie system#

6.$.) !##lication Soft&are Tracing and -a##ing

&.".$.1When using application soft$are tracing and mapping% the IS auditor

should confirm that the source code being ealuated generated the ob)ect

program currently being used in production# The IS auditor should be a$are that

application soft$are tracing and mapping only points out the potential for

erroneous processing+ it does not ealuate actual production data#

6.$.6 !udit +#ert S*ste%s

&.".&.1When using audit e(pert systems% the IS auditor should be thoroughly

kno$ledgeable of the operations of the system to confirm that the decision paths

follo$ed are appropriate to the gien audit enironment,situation#

&.#. CAATs *ocumentation

6.(.1 /ork#a#ers

&.#.1.1The step'by'step /!!Ts process should be sufficiently documented to

proide ade*uate audit eidence#

&.#.1.2Specifically% the audit $orkpapers should contain sufficient documentation

to describe the /!!Ts application% including the details set out in the follo$ing

sections#

6.(.2 "lanning

&.#.2.1-ocumentation should include.

/!!Ts ob)ecties

/!!Ts to be used

/ontrols to be e(ercised

Staffing and timing

6.(.$ +ecution

&.#.".1-ocumentation should include.

/!!Ts preparation and testing procedures and controls

-etails of the tests performed by the /!!Ts


49/49

-etails of inputs 1e#g#% data used% file layouts2% processing 1e#g#% /!!Ts

high'leel flo$charts% logic2 and outputs 1e#g#% log files% reports2

8isting of releant parameters or source code

6.(.( !udit +,idence&.#.#.1-ocumentation should include.

4utput produced

-escription of the audit analysis $ork performed on the output

!udit findings

!udit conclusions

!udit recommendations

&.$. 0eporting

6.).1 Descri#tion of C!!Ts

&.$.1.1 The ob)ecties% scope and methodology section of the report should

contain a clear description of the /!!Ts used# This description should not be

oerly detailed% but it should proide a good oerie$ for the reader#

&.$.1.2The description of the /!!Ts used should also be included in the body of

the report% $here the specific finding relating to the use of the /!!Ts is

discussed#

&.$.1."If the description of the /!!Ts used is applicable to seeral findings% or is

too detailed% it should be discussed briefly in the ob)ecties% scope and

methodology section of the report and the reader referred to an appendi( $ith a

more detailed description#

Documents

IT Auditing VIP