Appendix 1: IT Planning Memo

Memo
Date: [Date]

To: The Financial Statement Audit File

From: [IT Auditor Representative], [Office Location]

Subject: IT Audit Planning

Purpose
The purpose of this memo is to outline the procedures associated with the involvement of the
Information Technology Auditors (“IT Auditors”) in connection with the financial statement
audit (“financial audit”) of [company name] ([“company abbreviated name” or “the Company”])
for the year [ending or ended] [Month XX, 20XX ]. The approach for the IT audit outlined herein
serves as a supplement to the financial audit planning memorandum and should be reviewed in
conjunction with such working paper.

Planning Discussions
(The planning meeting between the financial audit team and the IT audit team should be documented
in this planning memo. Modify the sections below as applicable.)
As detailed in the working paper [working paper reference number], a discussion with the financial
audit Partner, Principal, or Director was held to determine the level of IT audit involvement.
(If an IT auditor has already been involved in the audit, describe previous involvement and/or any
relevant planning discussions herein.) During this planning meeting, risk assessments of areas to
be addressed were also discussed along with the nature, extent, and timing of planned tests of
controls described further in this planning memo.

373
374 ◾ Appendix 1: IT Planning Memo

IT Audit Team
The IT audit team will consist of the following:

Role Name

Partner, Principal, or Director

Manager or Senior Manager

Senior

Staff

Timing
Timing of the IT audit work is scheduled as follows:

1. Planning (starting [MM/DD/YY ], ending [MM/DD/YY ])

2. Interim (starting [MM/DD/YY ], ending [MM/DD/YY ])
3. Year end (starting [MM/DD/YY ], ending [MM/DD/YY ])
4. Sign-off date ([MM/DD/YY ])

Hours
Hours and costs are based on the estimated time required to complete the IT audit procedures and
the level of experience required. Detailed IT audit procedures have been planned with the finan-
cial audit team, including discussions regarding the necessary documentation and assistance to be
provided by the Company to facilitate the effective and efficient performance of the procedures.
It is estimated that the IT audit procedures will take [##] hours to complete.
The hours incurred are to be charged to: [Company charge code/number].
During the course of the IT audit, circumstances encountered that could significantly affect
the performance of such audit procedures will be promptly notified to the financial audit team
and Company personnel, as appropriate, including any additional hours resulting from such
circumstances.

Understand the IT Environment

Meetings with Company personnel will take place in order to gather or update the existing under-
standing of the IT environment, including significant changes from the prior year. This under-
standing will be considered as part of the planning process and documented in working paper
[working paper reference number].

Relevant Applications and Technology Elements

As agreed with the financial audit team, applications are classified as relevant to the audit when
they:
 Appendix 1: IT Planning Memo ◾ 375

◾◾ are used to support a critical business process (e.g., revenues, expenditures, payroll, etc.)
◾◾ have information generated by the organization (IGO) that is significant for a financial audit
test procedure or in the context of any internal controls, such as information used to test a
relevant control activity or information used by the Company to perform the control activity
◾◾ include application or automated control activities that have been identifying as addressing
significant financial audit risks

Relevant applications and their related technology elements have been identified on the following
table or documented at [working paper reference number].

Relevant Application Database Operating System Network

IT Risks and Controls

IT risks have been identified on the relevant applications based on the understanding obtained
from (1) the IT environment, (2) existing application controls, and (3) IGO. Certain control activ-
ities will be assessed to determine whether they are adequately designed and operate effectively to
address those risks. Refer to working paper [working paper reference number] where such controls
have been identified and listed.

Relevant Application Controls

In addition to the general control IT areas (information systems operations, information security,
and change control management), the IT audit team will test certain relevant application controls.
Meetings between the IT audit team and appropriate members of the financial audit team will
occur to:

1. understand how application or automated controls work

2. evaluate if they have been adequately designed and implemented
3. assess whether they operate effectively

The relevant application controls to be tested are noted below.

Working Paper
Reference # Relevant Application Relevant Application Control
376 ◾ Appendix 1: IT Planning Memo

Information Generated by the Organization

IGO has been identified and classified as significant for an audit test procedure or in the context of
any internal controls. This means that certain information will be used as part of various audit tests
of controls and/or organization personnel will use such to perform controls. Given the relevance
of this information, the IT audit will include procedures to assess its accuracy and completeness.

Deficiency Evaluation
If deviations or findings result from the IT test procedures performed, they will be assessed to
determine their nature and cause, and whether they represent a control deficiency. Evaluation of
control deficiencies will be performed in conjunction with the financial audit team. Refer to work-
ing paper [working paper reference number], where such evaluation will be documented.

Work of Others
(The work of others may include work from internal auditors, Company personnel (in addition to inter-
nal auditors), and third parties. The sample language below focuses on internal audit, and should be
tailored if the work of others is utilized.)
The IT audit team is planning to rely upon the Company’s Internal Audit (IA) function to support
the IT control procedures. (This language should be altered if IA will be used in a “ direct assistance”
capacity versus using IA’s own work.)
If reliance will be placed on certain audit areas performed by IA personnel, the IT audit team will
assess and document the competence and objectivity of such IA personnel whose work will be
relied upon in order to determine the extent to which such work can be used.
To determine the quality and effectiveness of specific work performed by the internal auditors, the
following will be assessed:

◾◾ whether the IA work is appropriate to meet the audit objectives

◾◾ whether the IA audit work program is adequate and complete
◾◾ whether the IA work documentation is acceptable in quality and quantity
◾◾ whether results and conclusions are appropriate and consistent with the IA work

Evaluation of Service Organization Controls

(This section is applicable if there are external service organizations that perform services or general
controls relevant for the audit.)
A service auditor’s report will be obtained for the relevant general controls related to the ­[relevant
application(s)] application(s) performed by [name of service organization]. A review of the report
will be performed by the IT audit team to understand the relevant services provided by the service
organization. Specifically, the IT audit team will evaluate the service organization controls by:

◾◾ assessing the IT controls and related exceptions in the report

 Appendix 1: IT Planning Memo ◾ 377

◾◾ documenting the IT complementary or locally based user controls specified in the report
(These controls are implemented in the Company and, thus, are not part of the service organiza-
tion; however, they complement service organization controls. The IT auditor typically document
these controls by tying them to the IT audit work performed as part of the IT audit of general
controls IT areas.)

(The table below can be included to summarize information about the relevant service organizations.)

Brief
Description of
Relevant Service
Service Service(s) Organization Service Report Report Type/
Organization Provided Location Auditor Period Conclusion

Other Areas of IT Audit Assistance

(This section includes other areas where IT auditors may provide assistance to the financial audit team,
including, but not limited to, fraud assistance, tests of business/financial controls, tests of IT entity-level
controls, etc.)