Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In all cases, auditors are called to audit products, processes and systems.
Standards
Auditing standards
There are two basic categories of audit testing: audits either verify that an item
necessary of compliance exists (compliance test) or check inside for the
substance and integrity of a claim (substantive test).
Audit standards:
S1 Audit charter
S2 Independence
S3 Professional Ethics and Standards of
Conduct
S4 Professional competence
S5 Planning
S6 Performance of Audit Work
S7 Audit Reporting
S8 Follow-up Activities
S9 Irregularities and illegal acts
S10 It Governance
S11 Use of Risk Analysis in Audit
planning
S12 Audit Materiality
S13 Using the work of other people
S14 Proper Audit Evidence
S15 Effective IT controls
S16 Electronic Commerce Controls
In most cases, the archive of the integrated audit may need to be kept for seven
years. Each type of audit may have a longer or shorter retention period,
depending on the regulations identified during audit planning.
The evidence rule
A good auditor will use sufficient evidence to formulate the auditor’s opinion.
Chapter 2: Managing IT governance
Marketing
Manufacturing /Software development
Sales
Finance
legal
quality control
legal
quality control
research and development
program and project management office
business continuity
Information technology
Human resources
Labor management
Administration
Data integrity: the goal is to ensure that data is accurate and safely stored
Backup and restoration: what are the plans and procedures for data backup
and restoration? The number one issue in IT is loss of data due to faulty
backup
Every audit will contain a list of objectives. High-level objectives may come from
executive mandate, regulations, or industry standards. The auditor should expect
audit program objectives to vary according to department, task, the subject
matter, or a particular step in their process workflow. Larger organizations have
more audit objectives and smaller organizations usually have fewer because
management has better control with fewer communication problems in a smaller
organization.
The audit planning issues should be considered regardless of the size of the
organization:
The audit committee manages planned audit activities and the results of both
internal and external audits. The committee is authorized to engage outside
experts for independent assurance.
Inherent risk: These are natural or built-in risks that always exist.
Detection risks: these are the risks that an auditor will not be able to
detect what is being sought. It would be terrible to report no negative
results when material condition (faults) actually exist. Detection risks
include sampling and nonsampling risks.
o Sampling risks: these are the risks that an auditor will falsely accept
or erroneously reject an audit sample (evidence).
o Nonsampling risks: these are the risks that an auditor will fail to
detect a condition because of not applying the appropriate
procedure or using procedures inconsistent with the audit objective
(detection fault)
Control risks: that an auditor loses control, errors could be introduced, or
errors may not be corrected in a timely manner.
Business risks: these are risks that are inherent in the business or
industry itself (regulatory, contractual, financial)
Technological risks: these are inherent risks of using automated
technology
Operational risks: these are the risks that a process or procedure will not
perform correctly
Residual risks: these are the risks that remain after all mitigation efforts
are performed
Audit risks: the combination of inherent, detection, control , and residual
risks. These are the same risks facing normal business operations.
- Staff observation
- Document review
- Interviews
- Workshop
- Computer assisted audit tools (CAAT)
- Surveys
Audit samples are selected for the purpose of collecting representative evidence
to be subjected to either compliance testing or substantive testing. Two basic
types of audit samples can be designed by the auditor: Statistical and
nonstatistical.
Random sampling: Samples are selected at random.
Grading of evidence
Four criteria:
- Material relevance;
- Evidence objectivity;
- Competency of evidence provider;
- Evidence independence
Substantive testing
Each finding of evidence can be classified into one of these common reporting
statements, presented in order of most desirable to least desirable:
Noteworthy achievement:
Conformity
Opportunity for Improvement
Concern
Nonconformity
Fraud
Theft
Suppression
Racketeering
Regulatory violations
Networking technology Basic
IS Network infrastructure
Information systems lifecycle