Chapter 2

Audit Planning
Audit Planning –Why?
 An auditor should plan his work to enable him
to conduct an effective audit in efficient and
timely manner.
 Audit planning is required because it facilitates
the following:
i. Ensure that appropriate attention is devoted to
all important areas of audit.
ii. Ensures that potential problems are properly
identified
Audit Planning –Why?
iii. Ensure that work is completed
expeditiously.
Factors to be considered for
audit planning
1. Complexity of audit.
2. Environment in which the organization
operates.
3. Knowledge of area of business.
5. Discussion with top management.
Tasks
 There are five (5) tasks within the IS audit
planning:
 Develop and implement a risk-based IS audit
strategy for the organization in compliance
with IS audit standards, guidelines and best
practices.
 Plan specific audits to ensure that IT and
business systems are protected and
controlled.
Tasks
 Plan how to conduct audits in accordance
with IS audit standards, guidelines and best
practices to meet planned audit objectives.
 How to communicate emerging issues,
potential risks and audit results to key
stakeholders.
 Advise on the implementation of risk
management and control practices within
the organization while maintaining
independence
The TEN knowledge statements
1. Knowledge of IS Auditing Standards,
Guidelines and Procedures and Code of
Professional Ethics
2. Knowledge of IS auditing practices and
techniques
3. Knowledge of techniques to gather
information and preserve evidence
4. Knowledge of the evidence life cycle
5. Knowledge of control objectives and controls
related to IS
The TEN knowledge statements
6. Knowledge of risk assessment in an audit
context
7. Knowledge of audit planning and
management techniques
8. Knowledge of reporting and communication
techniques
9. Knowledge of control self-assessment (CSA)
10. Knowledge of continuous audit techniques
Audit Planning Steps
1. Gain an understanding of the business’s
mission, objectives, purpose and processes.
2. Identify stated contents (policies, standards,
guidelines, procedures, and organization
structure)
3. Evaluate risk assessment and privacy
impact analysis
4. Perform a risk analysis.
Audit planning process
5. Conduct an internal control review.
Set the audit scope and audit
objectives.
6. Develop the audit approach or audit
strategy.
7. Assign personnel resources to audit
and address engagement logistics.
ISACA IS Auditing Standards and
Guidelines
 The framework for the ISACA IS Auditing Standards
provides for multiple levels, as follows:
 • Standards define mandatory requirements for IS
auditing and reporting.
 • Guidelines provide guidance in applying IS Auditing
Standards. The IS auditor should consider them in
determining how to achieve implementation of the
above standards, use professional judgment in their
application and be prepared to justify any departure.
 • Procedures provide examples of procedures an IS
auditor might follow in an audit engagement. The
procedure documents provide information on how to
meet the standards when completing information
systems auditing work, but do not set requirements.
 Materiality
 An auditing concept regarding the
importance of an item of information with
regard to its impact or effect on the
functioning of the entity being audited.
 Materiality is judged in terms of its inherent
nature, impact (influence) value, use
value, and the circumstances (context) in
which it occurs. Opposite of triviality.
 Materiality

 In assessing materiality, the IT auditor should

consider:
 The aggregate level of error acceptable to
management, the IT auditor, and appropriate
regulatory agencies.
 The potential for the cumulative effect of small
errors or weaknesses to become material.
 While establishing materiality, the auditor may
audit non-financial items such as physical
access controls, logical access controls, and
systems for personnel management,
manufacturing control, design, quality control,
and password generation.
Materiality
 While planning the audit work to meet the
audit objectives, the auditor should identify
relevant control objectives and determine,
based on materiality, which controls should
be examined. Internal control objectives are
placed by management and identifies what
the management strives to achieve through
their internal controls.
 Where financial transactions are not
processed, the following identifies some
measures the auditor should consider when
assessing materiality:
Measures
 Criticality of the business processes
supported by the system or operation.
 Cost of the system or operation (hardware,
software, third-party services)
 Potential cost of errors.
 Number of accesses/transactions/inquiries
processed per period.
 Penalties for failure to comply with legal and
contractual requirements.
Evaluation of Internal Controls

 Policies, procedures, practices and organizational

structures implemented to reduce risks are referred
to as internal controls.
 Internal controls are developed to provide reasonable
assurance that an organization’s business objectives
will be achieved and undesired risk events will be
prevented, or detected and corrected, based on
either compliance or management-initiated concerns.
 The auditor evaluates the organization’s control
structure by understanding the organization’s five
interrelated control components.
Control components
 Control Environment Provides the
foundation for the other components.
Encompasses such factors as management’s
philosophy and operating style.
 The board of directors and senior
management are responsible for establishing
the appropriate culture to facilitate an
effective and efficient internal control system
and for continuously monitoring its
effectiveness though each individual within an
organization must take part in this process.
Control components
 Risk Assessment Consists of risk identification and
analysis.
 Control Activities Consists of the policies and
procedures that ensure employees carry out
management’s directions. Types of control activities
an organization must implement are preventative
controls (controls intended to stop an error from
occurring), detective controls (controls intended to
detect if an error has occurred), and mitigating
controls (control activities that can mitigate the risks
associated with a key control not operating
effectively).
Control components
 Information and Communication Ensures
the organization obtains pertinent information,
and then communicates it throughout the
organization.
 Monitoring Reviewing the output generated
by control activities and conducting special
evaluations.
Internal Control Objectives
 Safeguarding of information technology assets
 Compliance to corporate policies or legal
requirements
 Authorization of input
 Accuracy and completeness of processing of
transactions
 Output authorization
 Reliability of processes
 Backup/recovery
 Efficiency and economy of operations
Two Things
 There are two key aspects that a control
needs to address, what you want to achieve
(objectives) and what you want to avoid
(risk). Not only do internal controls address
business/operational objectives, but need to
address undesired events through
preventing, detecting, and correcting
undesired events.
Categories
 Controls are generally categorized into 3
major classifications:
 Preventive: These controls are to deter
problems before they arise.
 Detective: Controls that detect and report the
occurrence of an error, omission or malicious
act..
 Corrective: These controls minimize the
impact of a threat, remedy problems
discovered by detective controls, identify the
cause of a problem.
 IS Control Objectives

Control objectives in an information systems

environment remain unchanged from those of a manual
environment. However, control features may be
different. The internal control objectives, thus need, to
be addressed in a manner specific to IS-related
processes.
 IS Control Objectives (cont’d)
Safeguarding assets
• Assuring the integrity of general operating system
environments
• Assuring the integrity of sensitive and critical
application system environments through:
– Authorization of the input
– Accuracy and completeness of processing of
transactions
– Reliability of overall information processing
activities
– Accuracy, completeness and security of the
output
– Database integrity
IS Control Objectives (Cont’d)
• Ensuring the efficiency and effectiveness
of operations
• Complying with requirements, policies
and procedures, and applicable laws
• Developing business continuity and
disaster recovery plans
• Developing an incident response plan
Types of controls
 Information system controls are broadly
classified into two broad categories:
 General Controls
 Application controls
 General controls include controls over data
centre operations, system software
acquisition and maintenance, access security,
and application system development and
maintenance.
General controls
 They create the environment in which the
application systems and application controls
operate. Examples:
 IT policies, standards, and guidelines
pertaining to IT security and information
protection, application software development
and change controls, segregation of duties,
service continuity planning, IT project
management, etc.
Factors to consider
 The following points should be covered
while reviewing these controls:
(i) Obtain a list of hardware including,
computer, ancillary and terminal
equipment in use indicating model,
performance details and check the
existence of this equipment.
(ii) Obtain an organizational chart which is
up-to-date and see how the computer fits
into the overall Organization;
Factors to consider
(iii) Obtain an up-to-date staff organization
chart of the computer department
showing the relative responsibilities and
authorities and note any changes on
review;
(iv) Obtain job specification (role definition)
for senior computer staff and supervisors
of the ancillary section and note any
changes;
Factors to consider
(v) Obtain the details of standards and norms
fixed for each of the functions like data
control, data preparation, system operation
and verify their implementation.
(vi) Whether manuals are maintained and kept
up-to-date specifying the control procedures
and whether they are enforced in practice
through a 'test check'
 Application controls
 Application controls pertain to specific computer
applications. They include controls that help to:
 Ensure the proper authorization, completeness,
accuracy, and validity of transactions,
maintenance, and other types of data input.
Examples include system edit checks of the
format of entered data to help prevent possible
invalid input, system enforced transaction
controls that prevent users from performing
transactions that are not part of their normal
duties.
Application controls
 Before getting on to evaluation of application controls,
it will be necessary for an auditor to secure a
reasonable understanding of the system. For this
purpose, a brief description of the application should
be prepared;
(i) indicating the major transactions,
(ii) describing the transaction flow and main output,
(iii) indicating the major files maintained and
(iv) providing approximate figures for transaction
volumes.
Application controls
 Application Control requirements may be
divided into:
(i) Documentation standards
(ii) Input control
(iii) Processing control
(iv) Output control
(v) Master/Standing Data File control
(vi) Audit requirements
Factors to consider
 Audit of an application system which is
operational involves verification of
input/output controls, processing controls and
audit trail. Evidence may be obtained on the
following points in the course of audit to come
to a reasonable conclusion regarding
existence of controls and their adequacy:
Factors
(i) Whether the data processed are genuine,
complete, accurate and not provisional?
(ii) Whether expected output is produced and distributed
on time?
(iii) Whether application programs process the data as
intended and accurately?
(iv) Whether a complete audit trail is available for tracing
back a transaction from the final result to the initial
input?
(v) Whether the data and changes to it are authorised
by appropriate authority both in the user and
computer departments?
Audit trail
 Objective of audit trail is to obtain sufficient evidence
matter regarding the reliability and integrity of the
application system. To achieve this, the audit trail
should contain enough information to allow
management, the auditor and the user:
(i) To recreate processing action;
(ii) To verify summary totals and
(iii) To trace the sources of intentional and
unintentional errors.
Audit trail
 The audit trail should include the following
information:
 System information including start up time, stop time,
restarts, recovery etc.
 Transaction information including input items which
change the database, control totals and rejected items
(relevant to database applications).
 Communication information including terminal log-
on/off, password use, security violation, network
changes and transmission statistics (relevant to
transaction processing i.e. TP applications).