1 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn tests of general controls at various levels; To have an idea about Continuous Audit and Embedded Audit Modules, and To discuss hardware testing and review of operating system and network. 4.1 Introduction to Basics of Testing (Reasons for Testing) Testing is a scientific process performed to determine whether the controls ensure the system design effectiveness as well as the implemented system controls operational effectiveness. It involves, understanding a process and the expected results. Testing of large amounts of transactions or data is usually not possible due to time and cost constraints. Hence, sampling is done on the population (system resource) and ensures a sufficient quality and quantity to extrapolate the results of the testing into a reliable conclusion on the entire population (system resource). Testing of Controls involves obtaining the population and conducting the compliance tests either on the entire population and/or on selected samples from the population. It may also be conducted using utilities of audit tools. Testing of the controls design and the reliable results are done by one of the following methods: (i) Substantive Testing: This type of testing is used to substantiate the integrity of the actual processing. It is used to ensure that processes, not controls, are working as per the design of the control and produce the reliable results. (ii) Compliance Testing A compliance test determines if controls are working as designed. As per the policies and procedures, compliance testing results into the adherence to management directives. The Information System (IS) controls audit involves the following three phases: Planning: The auditor determines an effective and efficient way to obtain the evidential matter necessary to achieve the objectives of the IS controls audit and the audit report. For financial audits, the auditor develops an audit strategy and an audit plan. For performance audits, the auditor develops an audit plan.
2 4.2 Information Systems Control and Audit Testing: The auditor tests the effectiveness of IS controls that are relevant to the audit objectives. Reporting: The auditor concludes on the effect of any identified IS control weaknesses with respect to the audit objectives and reports the results of the audit, including any material weaknesses and other significant deficiencies. 4.2 Audit Planning In planning the IS controls audit, the auditor uses the equivalent concepts of materiality (in financial audits) and significance (in performance audits) to plan both effective and efficient audit procedures. Materiality and significance are concepts the auditor uses to determine the planned nature, timing, and extent of audit procedures. The underlying principle is that the auditor is not required to spend resources on items of little importance; that is, those that would not affect the judgment or conduct of a reasonable user of the audit report, in light of surrounding circumstances. On the basis of this principle, the auditor may determine that some areas of the IS controls audit (e.g., specific systems) are not material or significant, and therefore warrant little or no audit attention. Materiality and significance include both quantitative and qualitative factors in relation to the subject matter of the audit. Even though a system may process transactions that are quantitatively immaterial or insignificant, the system may contain sensitive information or provide an access path to other systems that contain information that is sensitive or otherwise material or significant. For example, an application that provides public information via a website, if improperly configured, may expose internal network resources, including sensitive systems, to unauthorized access. Planning occurs throughout the audit as an iterative process. (For example, based on findings from the testing phase, the auditor may change the planned audit approach, including the design of specific tests.) However, planning activities are concentrated in the planning phase, during which the objectives are to obtain an understanding of the entity and its operations, including its internal control, identify significant issues, assess risk, and design the nature, extent, and timing of audit procedures. To accomplish this, the methodology presented here is a guidance to help the auditor to perform IS system Audit testing. 4.3 Audit Testing The auditor must address many considerations that cover the nature, timing, and extent of testing. The auditor must devise an auditing testing plan and a testing methodology to determine whether the previously identified controls are effective. The auditor also tests whether the end-user applications are producing valid and accurate information. For microcomputers, several manual and automated methods are available to test for erroneous data. An initial step is to browse the directories of the PCs in which the end-user-developed application resides. Any irregularities in files should be investigated. Depending on the nature of the audit, computer-assisted techniques could also be used to audit the application. The auditor should also conduct several tests with both valid and invalid data to test the ability and extent of error detection, correction, and prevention within the application. In addition, the
3 Testing General and Automated Controls 4.3 auditor should look for controls such as input balancing and record or hash totals to ensure that the end user reconciles any differences between input and output. The intensity and extent of the testing should be related to the sensitivity and importance of the application. The auditor should be wary of too much testing and limit his or her tests to controls that cover all the key risk exposures and possible error types. The key audit concern is that the testing should reveal any type of exposure of sensitive data and that the information produced by the application is valid, intact, and correct. One should test the critical controls, processes, and apparent exposures. The auditor performs the necessary testing by using documentary evidence, corroborating interviews, and personal observation. Secondly, we may test the critical controls, processes, and apparent exposures. The auditor performs the necessary testing by using documentary evidence, corroborating interviews, and personal observation. Validation of the information obtained is prescribed by the auditor s work program. Again, this work program is the organized, written, and pre-planned approach to the study of the IT department. It calls for validation in several ways as follows: Asking different personnel the same question and comparing the answers Asking the same question in different ways at different times Comparing checklist answers to work papers, programs, documentation, tests, or other verifiable results Comparing checklist answers to observations and actual system results Conducting mini-studies of critical phases of the operation Such an intensive program allows an auditor to become informed about the operation in a short time. Programs are run on the computer to test and authenticate application programs that are run in normal processing. The audit team selects one of the many Generalized Audit Software (GAS) packages such as Microsoft Access or Excel, IDEA, or ACL and determines what changes are necessary to run the software at the installation. The auditor is to use one of these software s to do sampling, data extraction, exception reporting, summarize and foot totals, and other tasks to perform in-depth analysis and reporting capability IS Controls Audit Process The IS control Audit process involves: Obtaining an understanding of an entity and its operations and key business processes, Obtaining a general understanding of the structure of the entity s networks, Identifying key areas of audit interest (files, applications, systems, locations), Assessing IS risk on a preliminary basis, Identifying critical control points (for example, external access points to networks), Obtaining a preliminary understanding of IS controls, and Performing other audit planning procedures.
4 4.4 Information Systems Control and Audit These tasks are not generally performed as discrete, sequential steps, the IS controls specialist may gather information related to several steps concurrently, such as through interviews with key Information Technology (IT) staff or through data requests, or may perform steps in a different sequence. The auditor performs planning to determine an effective and efficient way to obtain the evidential matter necessary to support the objectives of the IS controls audit and the audit report. The nature and extent of audit planning procedures varies for each audit depending on several factors, including the entity s size and complexity, the auditor s experience with the entity, and the auditor s knowledge of the entity s operations. If the IS controls audit is performed as part of a financial audit, the auditor is to obtain an understanding of internal control over financial reporting sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures based on that assessment. This includes performing risk assessment procedures to evaluate the design of controls relevant to an audit of financial statements and to determine whether they have been implemented. In obtaining this understanding, the auditor considers how an entity s use of information technology (IT) and manual procedures affect controls relevant to the audit. If the IS controls audit is performed as part of a performance audit, when information systems controls are determined to be significant to the audit objectives, auditors should then evaluate the design and operating effectiveness of such controls. This evaluation would include other information systems controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. Auditors need to determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. It also provides the following factors to assist the auditor in making this determination: (i) The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems. (ii) The availability of evidence outside the information system to support the findings and conclusions: It may not be possible for auditors to obtain sufficient, appropriate evidence without assessing the effectiveness of relevant information systems controls. For example, if information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls; there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems. (iii) The relationship of information systems controls to data reliability: To obtain evidence about the reliability of computer generated information, auditors may decide to assess the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data.
5 Testing General and Automated Controls 4.5 (iv) Assessing the effectiveness of information systems controls as an audit objective: When assessing the effectiveness of information systems controls is directly a part of audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations Identify Key Areas of Audit Interest The auditor should identify key areas of audit interest, which are those that are critical to achieving the audit objectives (e.g., general support and business process application systems and files (or components thereof). For a financial audit, this would include key financial applications and data and related feeder systems. For a performance audit, this would include key systems that are likely to be significant to the audit objectives. For each key area of audit interest, the auditor should document relevant general support systems and major applications and files, including (i) the operational locations of each key system or file, (ii) significant components of the associated hardware and software (e.g., firewalls, routers, hosts, operating systems), (iii) other significant systems or system level resources that support the key areas of audit interest, and (iv) prior audit problems reported. The auditor should also identify all access paths into and out of the key areas of audit interest. By identifying the key systems, files, or locations, the auditor can concentrate efforts on them, and do little or no work associated with other areas. The auditor generally should prioritize important systems, files, or locations in order of importance to the audit objectives. The auditor may characterize these items by the sensitivity or significance of the information processed, dollar value of the transactions processed, or presence or number of key edits or other controls performed by a business process application. A preliminary understanding of the entity s IS controls, including the organization, staffing, responsibilities, authorities, and resources of the entity s security management function. The auditor should include the following information in the documentation of their preliminary understanding of the design of IS controls, to the extent relevant to the audit objectives: Identification of entitywide level controls (and appropriate system level controls) designed to achieve the control activities for each critical element within each general control area and a determination of whether they are designed effectively and implemented (placed in operation), including identification of control activities for which there are no or ineffective controls at the entitywide level and the related risks; Identification of business process level controls for key applications identified as key areas of audit interest, determination of where those controls are implemented (placed in operation) within the entity s systems, and the auditor s conclusion about whether the controls are designed effectively, including identification of control activities for which there are no or ineffective controls and the related risks and the potential impact of any
6 4.6 Information Systems Control and Audit identified design weaknesses on the completeness, accuracy, validity, and confidentiality of application data; Any internal or third-party information systems reviews, audits, or specialized systems testing (e.g., penetration tests, disaster recovery tests, and application-specific tests) performed during the last year; Management s plans of action and milestones, or their equivalent, that identify corrective actions planned to address known IS weaknesses and IS control weaknesses; Status of the prior years audit findings; Documentation for any significant computer security related incidents identified and reported for the last year; Documented security plans; Documented risk assessments for relevant systems (e.g., general support systems and major applications); System certification and accreditation documentation or equivalent for relevant systems; Documented business continuity of operations plans and disaster recovery plans; A description of the entity s use of third-party IT services; Relevant laws and regulations and their relation to the audit objectives; Description of the auditor s procedures to consider the risk of fraud, any fraud risk factors that the auditor believes could affect the audit objectives, and planned audit procedures to detect any fraud significant to the audit objectives. Audit resources planned. Current multiyear testing plans. Documentation of communications with entity management. If IS controls are performed by service organizations, conclusions whether such controls are significant to the audit objectives and any audit procedures performed with respect to such controls (e.g., review of service auditor reports) If the auditor plans to use the work of others, conclusions concerning the planned use of the work of others and any audit procedures performed with respect to using the work of others. Audit plan that adequately describes the objectives, scope, and methodology of the audit. Any decision to reduce testing of IS controls due to the identification of significant IS control weaknesses.
7 Testing General and Automated Controls Performing Information System Controls Audit Tests To understand the Information Systems relevant to the Audit in the testing phase of the IS controls audit, the auditor uses information obtained in the planning phase to test the effectiveness of IS controls that are relevant to the audit objectives. As audit evidence is obtained through performing control testing, the auditor should reassess the audit plan and consider whether changes are appropriate. While determining whether IS controls are appropriately designed and implemented and while performing tests of IS controls, the auditor should periodically assess the cumulative audit evidence obtained to identify any revisions needed to the audit plan. For example, if significant weaknesses have been identified, the auditor may decide to perform less testing in remaining areas if audit objectives have been achieved. Conversely, the performance of tests may uncover additional areas to be tested. For those IS controls that the auditor determines are properly/suitably designed and implemented, the auditor determines whether to perform tests of the operating effectiveness of such controls. In determining whether to test the operating effectiveness of IS controls, the auditor should determine whether it is possible and practicable to obtain sufficient, appropriate audit evidence without testing IS controls. For federal financial statement audits and for single audits (compliance requirements), the auditor is required to test controls that are suitably designed and implemented to achieve a low assessed level of control risk. The auditor identifies control techniques and determines the effectiveness of controls at each of the following levels: (i) Entity wide or Component Level: (General controls) Controls at the entity or component level consist of the entity-wide or component-wide (IS system modules) processes designed to achieve the control activities. They are focused on how the entity or component manages IS related to each control activity, as discussed in Chapter 3. For example, the entity or component may have an entity-wide process for configuration management, including establishment of accountability and responsibility for configuration management, broad policies and procedures, development and implementation of monitoring programs, and possibly centralized configuration management tools. The absence of entity-wide processes may be a root cause of weak or inconsistent controls; by increasing the risk that IS controls are not applied consistently across the organization. (ii) System level (General controls): Controls at the system level consist of processes for managing specific system resources related to either a general support system or major application. These controls are more specific than those at the entity or component level and generally relate to a single type of technology. Within the system level are three further levels that the auditor should assess: network, operating system, and infrastructure application. The three sublevels can be defined as follows:
8 4.8 Information Systems Control and Audit Network: A network is an interconnected or intersecting configuration or system of components. For example, a computer network allows applications operating on various computers to communicate. Operating system: An operating system is software that controls the execution of computer programs and may provide various services. For example, an operating system may provide services such as resource allocation, scheduling, input/output control, and data management. Infrastructure applications: Infrastructure applications are software that is used to assist in performing systems operations, including management of network devices. These applications include databases, , browsers, plug-ins, utilities, and applications not directly related to business processes. For example, infrastructure applications allow multiple processes running on one or more machines to interact across a network. For an example of the identification of system level controls, take configuration management. The auditor who is evaluating configuration management at the system level should determine whether the entity has applied appropriate configuration management practices for each significant type of technology (e.g., firewalls, routers) in each of the three sublevels (e.g., specific infrastructure applications). Such configuration management practices typically include standard configuration guidelines for the technology and tools to effectively determine whether the configuration guidelines are effectively implemented. (iii) Business process application level: Controls at the business process application level consist of policies and procedures for controlling specific business processes. For example, the entity s configuration management should reasonably ensure that all changes to application systems are fully tested and authorized. General control activities that are applicable to the entitywide and system levels, includes the general controls applied at the business process application level (also referred to as application security) as well as the three categories of business process application controls. The control techniques for achieving the control activities and the related audit tests vary according to the level to which they are being applied. Thus, the auditor should develop more detailed audit steps based on the entity s specific software and control techniques, after consulting with the financial or performance auditor about audit objectives and significant areas of audit interest. The Table lists specific control activities and techniques applicable at each level:
9 Testing General and Automated Controls 4.9 General Controls Business Process Application Controls Control System Level Categories Security Management Access Controls Configuration Management Segregation of Duties Contingency Planning Business Process Controls Interfaces Data Management Systems Entitywide/ Component Level Network System Level Operating Systems Infrastructure Applications Table : Control Categories Applicable at Different Levels of Audit 4.4 Testing Critical Control Points Business Process Application Level The auditor should evaluate the effectiveness of IS controls including system and/or application level controls related to each critical control point. The auditor should evaluate all potential ways in which the critical control point could be accessed. Generally, for each critical control point, this would include assessing controls related to the network, operating system, and infrastructure application components. For example, if a particular router was deemed to be a critical control point, the auditor generally should test controls related to the router itself (a network component), its operating system, and the infrastructure application that is used to manage the router. Access to any of these could lead to access to the control point. The auditor determines the appropriate scope of the IS controls audit, including the organizational entities to be addressed (e.g., entitywide, selected component(s), etc.); the breadth of the audit (e.g., overall conclusion on IS control effectiveness, review of a specific application or technology area, such as wireless network etc.); the types of IS controls to be
10 4.10 Information Systems Control and Audit tested namely general and/or business process application level controls to be tested, or selected components; or all levels of the entity s information systems, or selected levels (e.g., entitywide, system level, or business process application level, or selected components of them. 4.5 Test Effectiveness of Information System Controls The auditor should design and conduct tests of relevant control techniques that are effective in design to determine their effectiveness in operation. It is generally more efficient for the auditor to test IS controls on a tiered basis, starting with the general controls at the entitywide and system levels, followed by the general controls at the business process application level, and concluding with tests of business process application, interface, and data management system controls at the business process application level. Such a testing strategy may be used because ineffective IS controls at each tier generally preclude effective controls at the subsequent tier. If the auditor identifies IS controls for testing, the auditor should evaluate the effectiveness of general controls at the entitywide and system level; general controls at the business process application level; and specific business process application controls (business process controls, interface controls, data management system controls), and/or user controls, unless the IS controls that achieve the control objectives are general controls. The auditor should determine whether entitywide and system level general controls are effectively designed, implemented, and operating effectively by: identifying applicable general controls; determining how those controls function, and whether they have been placed in operation; and evaluating and testing the effectiveness of the identified controls. The auditor generally should use knowledge obtained in the planning phase. The auditor should document the understanding of general controls and should conclude whether such controls are effectively designed, placed in operation, and, for those controls tested, operating as intended. 4.6 Tests of General Controls at the Entitywide and System Levels The auditor may test general controls through a combination of procedures, including observation, inquiry, inspection (which includes a review of documentation on systems and procedures), and reperformance using appropriate test software. Although sampling is generally not used to test general controls, the auditor may use sampling to test certain controls, such as those involving approvals.
11 Testing General and Automated Controls 4.11 If general controls at the entitywide and system levels are not effectively designed and operating as intended, the auditor will generally be unable to obtain satisfaction that business process application-level controls are effective. In such instances, the auditor should (i) determine and document the nature and extent of risks resulting from ineffective general controls and (ii) identify and test any manual controls that achieve the control objectives that the IS controls were to achieve. However, if manual controls do not achieve the control objectives, the auditor should determine whether any specific IS controls are designed to achieve the objectives. If not, the auditor should develop appropriate findings principally to provide recommendations to improve internal control. If specific IS controls are designed to achieve the objectives, but are in fact ineffective because of poor general controls, testing would typically not be necessary, except to support findings. 4.7 Tests of General Controls at the Business Process- Application Level If the auditor reaches a favorable conclusion on general controls at the entitywide and system levels, the auditor should evaluate and test the effectiveness of general controls for those applications within which business process application controls or user controls are to be tested. These business process application level general controls are referred to as Application Security (AS) controls. If general controls are not operating effectively within the business process application, business process application controls and user controls generally will be ineffective. If the IS controls audit is part of a financial or performance audit, the IS controls specialist should discuss the nature and extent of risks resulting from ineffective general controls with the audit team. The auditor should determine whether to proceed with the evaluation of business process application controls and user controls. 4.8 Tests of Business Process Application Controls and User Controls The auditor generally should perform tests of those business process application controls (business process, interface, data management), and user controls necessary to achieve the control objectives where the entitywide, system, and application-level general controls were determined to be effective. If IS controls are not likely to be effective, the auditor should obtain a sufficient understanding of control risks arising from information systems to: identify the impact on the audit objectives, design audit procedures, and develop appropriate findings.
12 4.12 Information Systems Control and Audit Also, in such circumstances, the auditor considers whether manual controls achieve the control objectives, including manual controls that may mitigate weaknesses in IS controls. If IS controls are not likely to be effective and if manual controls do not achieve the control objectives, the auditor should identify and evaluate any specific IS controls that are designed to achieve the control objectives to develop recommendations for improving internal controls. IS controls that are not effective in design do not need to be tested. If the auditor determined in a prior year that controls in a particular accounting application were ineffective and if management indicates that controls have not significantly improved, the auditor need not test them. 4.9 Appropriateness of Control Tests To assess the operating effectiveness of IS controls, auditors should perform an appropriate mix of audit procedures to obtain sufficient, appropriate evidence to support their conclusions. Such procedures could include the following: Inquiries of IT and management personnel can enable the auditor to gather a wide variety of information about the operating effectiveness of control techniques. The auditor should corroborate responses to inquiries with other techniques. Questionnaires can be used to obtain information on controls and how they are designed. Observation of the operation of controls can be a reliable source of evidence. For example, the auditor may observe the verification of edit checks and password controls. However, observation provides evidence about controls only when the auditor was present. The auditor needs other evidence to be satisfied controls functioned the same way throughout the period. The auditor may review documentation of control polices and procedures. For example, the entity may have written policies regarding confidentiality or logical access. Review of documents will allow the auditors to understand and assess the design of controls. Inspection of approvals/reviews provides the auditor with evidence that management is performing appropriate control checks. The auditor may combine these tests with discussions and observations. Analysis of system information (e.g., configuration settings, access control lists, etc.) obtained through system or specialized software provides the auditor with evidence about actual system configuration. Data review and analysis of the output of the application processing may provide evidence about the accuracy of processing. For example, a detailed review of the data elements or analytical procedures of the data as a whole may reveal the existence of errors. Computer-assisted audit techniques (CAAT) may be used to test data files to determine whether invalid transactions were identified and corrected by programmed controls. However, the absence of invalid transactions alone is insufficient evidence that the controls effectively operated.
13 Testing General and Automated Controls 4.13 Reperformance of the control could be used to test the effectiveness of some programmed controls by reapplying the control through the use of test data. For example, the auditor could prepare a file of transactions that contains known errors and determine if the application successfully captures and reports the known errors. Based on the results of the IS controls audit tests, the auditor should determine whether the control techniques are operating effectively to achieve the control activities. Controls that are not properly designed to achieve the control activities or that are not operating effectively are potential IS control weaknesses. For each potential weakness, the auditor should determine whether there are specific compensating controls or other factors that could mitigate the potential weakness. If the auditor believes that the compensating controls or other factors could adequately mitigate the potential weakness and achieve the control activity, the auditor should obtain evidence that the compensating or other control is effectively operating and actually mitigates the potential weakness. If it effectively mitigates the potential weakness, the auditor can conclude that the control activity is achieved; however, the auditor may communicate such weaknesses to the entity. If the potential weakness is not effectively mitigated, the potential weakness is an actual weakness. The auditor evaluates its effects on IS controls in combination with other identified weaknesses in the reporting phase Multiyear Testing Plans In circumstances where the auditor regularly performs IS controls audits of the entity (as is done, for example, for annual financial audits), the auditor may determine that a multiyear plan for performing IS controls audits is appropriate. Such a plan will cover relevant key agency applications, systems, and processing centres. These strategic plans should cover not more than a three year period and include the schedule and scope of assessments to be performed during the period and the rationale for the planned approach. The auditor typically evaluates these plans annually and adjusts them for the results of prior and current audits and significant changes in the IT environment, such as implementation of new systems. Multiyear testing plans can help to assure that all agency systems and locations are considered in the IS control evaluation process, to consider relative audit risk and prioritization of systems, and to provide sufficient evidence to support an assessment of IS control effectiveness, while helping to reduce annual audit resources under certain conditions. When appropriate, this concept allows the auditor to test computer-related general and business process application controls on a risk basis rather than testing every control every year. Under a multiyear testing plan, different controls are comprehensively tested each year, so that each significant general and business process control is selected for testing at least once during the multiyear period, which should not be more than 3 years. For example, a multiyear testing plan for an entity with five significant business process applications might include comprehensive tests of two or three applications annually, covering
14 4.14 Information Systems Control and Audit all applications in a two or three year period. For systems with high IS risk, the auditor generally should perform annual testing. Such multiyear testing plans are not appropriate in all situations. For example, they are not appropriate for first-time audits, for audits where some significant business process applications or general controls have not been tested within a sufficiently recent period (no more than 3 years), or for audits of entities that do not have strong entitywide controls. Also, using this concept, the auditor performs some limited tests and other activities annually for general and business process controls not selected for full testing; examples of such activities include updating the auditor s understanding of the control environment, inquiring about control changes, and conducting walkthroughs. For example, because of the importance of system level critical control points, the auditor generally updates the understanding of these yearly through limited tests Documentation of Control Testing Phase Information developed in the testing phase that the auditor should document includes the following: An understanding of the information systems that are relevant to the audit objectives IS Control objectives and activities relevant to the audit objectives By level (e.g., entitywide, system, business process application) and system sublevel (e.g., network, operating system, infrastructure applications), a description of control techniques used by the entity to achieve the relevant IS control objectives and activities By level and sublevel, specific tests performed, including related documentation that describes the nature, timing, and extent of the tests; evidence of the effective operation of the control techniques or lack thereof (e.g., memos describing procedures and results, output of tools and related analysis); if a control is not achieved, any compensating controls or other factors and the basis for determining whether they are effective; the auditor s conclusions about the effectiveness of the entity s IS controls in achieving the control objective; and for each weakness, whether the weakness is a material weakness, significant deficiency or just a deficiency, as well as the criteria, condition, cause, and effect if necessary to achieve the audit objectives Audit Reporting After completing the testing phase, the auditor summarizes the results of the audit, draws conclusions on the individual and aggregate effect of identified IS control weaknesses on audit risk and audit objectives and reports the results of the audit. The auditor evaluates the individual and aggregate effect of all identified IS control weaknesses on the auditor s conclusions and the audit objectives. The auditor evaluates the effect of any weaknesses on the entity s ability to achieve each of the critical elements and on the risk of unauthorized access to key systems or files. Also, the auditor evaluates potential control dependencies.
15 Testing General and Automated Controls 4.15 For each critical element, the auditor should make a summary determination as to the effectiveness of the entity s related controls, considering entitywide, system, and business process application levels collectively. The auditor should evaluate the effect of related underlying control activities that are not achieved. In addition, the auditor should determine whether the weaknesses preclude the effectiveness of each of the five categories of general controls or the four categories of application-level controls. If the controls for one or more of each category s critical elements are ineffective, then the controls for the entire category are not likely to be effective. The auditor uses professional judgment in making such determinations. For federal entities, if identified weaknesses relate to IS measures reported in FISMA reporting, the auditor should determine whether they were properly reported. Also, the auditor should determine whether IS control weaknesses identified by the audit were identified in the entity s Plans of Action and Milestones (POA&M s) or equivalent document. If not, the auditor generally should attempt to determine why they were not identified by the entity as appropriate and report weaknesses in the reporting process. Also, the auditor should evaluate whether the aggregate combination of weaknesses could result in unauthorized access to systems or files supporting key areas of audit interest. Guidance for evaluating IS controls and determining the appropriate reporting are discussed separately for financial audits and attestation engagements and for performance audits in the following sections. For example, a series of weaknesses might result in individuals having the ability to gain unauthorized external access to agency systems, escalate their privileges to obtain a significant level of access to critical control points, and consequently achieve access to key areas of audit interest. The auditor can use simplified network schematics annotated with weaknesses related to key system components to document the impact of a series of weaknesses. Such documentation may be developed as the audit progresses, allowing the auditor to demonstrate on the system that the weaknesses in fact exist and can be exploited to achieve the expected result. Also, such documentation can assist in communicating the related risks to entity management. Fig is an example of a simplified network schematic annotated with weaknesses related to key system components.
16 4.16 Information Systems Control and Audit Fig Example of Network Schematic Describing System Weaknesses Further, the auditor should evaluate the potential impact of any identified weaknesses on the completeness, accuracy, validity, and confidentiality of application data relevant to the audit objectives. When IS controls audits are performed as part of a broader financial or performance audit or attestation engagement, the IS controls specialist should coordinate with the auditor to determine whether significant controls are dependent on IT processing. In very rare circumstances, the auditor may determine that IS controls, in the aggregate, are ineffective, but that the entity has overall compensating controls not dependent on IT processing or that other factors mitigate or reduce the risks arising from IS control weaknesses. For example, a manual review of support for all disbursements could mitigate certain IS risks related to a disbursement system. If compensating controls or other factors are present, the auditor should document such controls or factors, test them appropriately to determine whether they effectively mitigate the identified IS control weaknesses, and draw conclusions about the nature and extent of the risks that remain after considering such controls or factors Audit Objectives Determine which IS Control Techniques are Relevant to the Audit Objectives. For each Relevant IS Control Technique Determine Whether it is Suitably Designed to Achieve the Critical Activity and has been implemented. Perform Tests to Determine whether such Control Techniques are Operating Effectively Identify Potential Weaknesses in IS Controls and Consider Compensating Controls.
17 Testing General and Automated Controls Report Audit Results For this, Evaluate the Effects of Identified IS Control Weaknesses Financial Audits, Attestation Engagements, and Performance Audits Consider Other Audit Reporting Requirements and Related Reporting Responsibilities Substantive Testing : Where controls are determined not to be effective, substantive testing may be required to determine whether there is a material issue with the resulting financial information. In an IT audit, substantive testing is used to determine the accuracy of information being generated by a process or application. Audit tests are designed and conducted to verify the functional accuracy, efficiency, and control of the audit subject. During the audit of an IS application, for example, the auditor would build and process test data to verify the processing steps of an application. The auditor selects and uses computer-aided audit tools to gather information and conduct the planned audit tests. Ā e appropriate selection of audit tools and their effective and accurate uses are essential to adequate audit testing. For example, if the performance of an application requires analysis, a computer program analyzer or instrumentation package would be an appropriate choice for use as an audit tool. In addition, if the audit staff uses an electronic document management system to capture their audit work (e.g., interviews, electronic documents, and schedules), how well does the auditor use this support tool? Documenting Results : The final step involves evaluating the results of the work and preparing a report on the findings. The audit results should include the audit finding, conclusions, and recommendations Audit Findings : Audit findings should be formally documented and include the process area audited, the objective of the process, the control objective, the results of the test of that control, and a recommendation in the case of a control deficiency. An audit finding form serves the purpose of documenting both control strengths and weaknesses and can be used to review the control issue with the responsible IT manager to agree on corrective action. The information can then be used to prepare the formal audit report and corrective action follows up Analysis : Interviews and functional tests provide the raw materials for drafting the audit report. It cannot be emphasized enough that the design and performance of audit tests and interviews is essential to producing a quality audit report. If care is not taken, it becomes a classic case of garbage in, garbage out. Analysis is the most important factor in converting raw data into a finished product ready for inclusion in an audit report. Complete analysis of test information should provide the auditor with all the necessary information to write an audit report. Thorough analysis includes a clear understanding of the standards the cause of the deviation the control weakness that led to the deviation the materiality and exposure involved. When possible, recommendations for corrective action Analysis of the results of tests and interviews should occur as soon as possible after they are completed.
18 4.18 Information Systems Control and Audit Too often, the bulk of audit analysis occurs when the auditor sits down and writes the audit report. Timely analysis enables the auditor to determine the causes and exposures of findings early in the audit. This gives the auditor time to conduct further testing when necessary and allows everyone more time to create corrective actions. It also promotes the better use of audit time by determining findings and exposures with a minimum of testing. One of the purposes of the current work paper guidelines is to provide documentation of this analysis process. Four analysis steps may be needed: Reexamine the standards and the facts Determine the cause of the deviation Determine the materiality and exposure of the deviation Determine possible recommendations for corrective action Although these are referred to as steps, they are not necessarily performed in chronological order. Likewise, completion of one step is not always necessary to complete later steps. As in all other areas of auditing, analysis requires judgment. Following is a discussion of each of the four steps in more detail. The terms finding, deficiency, problem, and issues are basically synonymous and mean the auditor identified a situation where controls or efficiencies can be improved. The situation, if acted upon, could result in enhanced productivity; the deterrence of fraud; or the prevention of monetary loss, personal injury, or environmental damage Reexamination : This is the most essential step in performing analysis. From this step, the auditor has the requisite data to make a judgment and formulate an opinion. The two factors under consideration are a standard (for comparison to the facts) and the facts (to compare to the standard). Step one reviews the standard, the facts, and whether a discrepancy actually exists between the two Standards Compliance : Standards are the procedures, operating guidelines, regulations, good business practices, or other predefined methodologies that define how an operation under audit should function. The standard establishes the viewpoint used by the auditor to evaluate test information. Standards should be identified and evaluated at the beginning of the audit, and decisions on the appropriateness of standards should be addressed at the time the audit tests are created. Performance of the audit may give the auditor additional data to use in developing more appropriate standards. The standard used must be clearly understood by the auditor and there must be sufficient confidence that the correct standard is used. Although the standard is a written, published procedure, it may be outdated, redundant, or not appropriate. Using the wrong standard can lead to incorrect or incomplete findings. Critical evaluation of a standard can also lead to the identification of inefficient practices. Four situations may occur while evaluating standards: No standard exists either explicitly or implicitly (this may imply a high degree of risk since no standard is present to guide how a function should perform). A standard exists but is not formal (i.e., good business practices).
19 Testing General and Automated Controls 4.19 The standard is formal and published but is redundant, not cost effective, no longer necessary, or no longer appropriate in some other manner. The standard is formal and is appropriate for evaluating the work performed Facts : After reviewing the standard, the auditor must evaluate the gathered facts. The auditor should re-verify that deviations found are representative of the current control environment, have adequate support (photocopies or other hard evidence if possible), and, whenever possible, have an agreement with the audit client that deviations exist. To ensure that findings are accurate and descriptive of the population, samples should be: Large enough to reflect the behavior of the population from which they were drawn Representative of all types of individual members in the population, and representative of the current control practices (timely) If the sample fails to meet these characteristics, the deviation might not be the basis for a useful finding. To remedy this, it may be necessary to add to the sample or select an entirely new sample Verification : Finally, the auditor must again compare the findings to the reexamined standards to determine if a valid discrepancy still exists. If not, there is no issue and nothing to report. If the discrepancy is still apparent, then the analysis of the finding continues Cause : Once the auditor is sure of his or her understanding of the standard, the next step is to identify the cause of the deviation. This is based on the reexamination of the standards involved. Determining the cause of a deviation is answering the who, what, why, where, and when of a particular asset, transaction, or event. The answers provide the raw material to help make judgments about the control system currently in place. Determining the cause helps identify the exposures and aids in formulating recommendations Exposure and Materiality : This step examines the potential consequences of deviations. It answers the question, Why does this need correction? To answer this, the auditor must understand exposure and materiality. Exposure results from subjecting an asset to potential loss, harm, damage, theft, improper or inefficient use, or neglect. Assets are tangible (money, buildings, computers) or intangible (an account, data, good will), human or nonhuman. The risk is posed by people (theft, neglect, misuse) or by the environment (fire or weather). The degree of exposure is related to the proximity and severity of the risk. Proximity of the risk refers to how available the asset is to the person or environmental factor posing the risk. For example, there is less proximity to risk for small physical assets with high dollar values (e.g., computers) when there is limited access; inventory controls such as identification numbers and inventory lists; and a physical comparison of the asset to the list. The fewer controls in place the more proximate the risk. Severity of the risk refers to the potential amount of loss for each deviation. The greater the value of the asset exposed to risk and the closer the proximity to risk, the higher the potential loss for each deviation.
20 4.20 Information Systems Control and Audit Materiality is a qualitative judgment about whether a deviation s frequency of occurring and degree of exposure are significant enough for the deviation to be corrected and included in the final audit report. Frequency refers to how often an event will occur. It is the combination of the likelihood an individual transaction will deviate from the standard and the total number of transactions. With this understanding of exposure and materiality, answers to the following questions help identify why corrections should take place. What happened or can happen (exposure) because of the identified deviation? Remember the big picture. Start with the deviation found and expand outward to get to the big picture. Be specific regarding what assets, transactions, and business entities are affected. Name the risk(s) that the asset or transaction is exposed to. How serious (materiality) is this consequence in terms of some standard of value (money, time, personal injury, or ill will)? Identify which standard(s) of value apply to the deviation analyzed. Make measurements of the severity of the exposure. If extrapolating, use a statistically sound method of estimation. How often (frequency) has the deviation occurred or is it expected to occur? Upon completing this step of analysis, the auditor should have a complete understanding of the standard used to measure the deviation. Why the standard is an appropriate measure (or model) of how an asset/transaction should be handled or controlled the substantial, significant, compelling audit evidence (proof) that a deviation has occurred. What caused the deviation to occur in terms of the department/person responsible for controlling the asset/transaction, what controls were not in place or not followed that allowed the deviation to occur, and the effectiveness of management s review process and corrective action over the area under audit the degree of exposure and the materiality of the deviation. Based on this, the auditor will have sufficient data to make an informed judgment about the state of controls and the efficiency of operations in the area under audit. Conclusions Conclusions are auditor opinions, based on documented evidence, that determine whether an audit subject area meets the audit objective. All conclusions must be based on factual data obtained and documented by the auditor as a result of audit activity. The degree to which the conclusions are supported by the evidence is a function of the amount of evidence secured by the auditor Concurrent or Continuous Audit and Embedded Audit Modules Today, organizations produce information on a real-time, online basis. Real-time recordings needs real-time auditing to provide continuous assurance about the quality of the data, thus, continuous auditing. Continuous auditing enables auditors to significantly reduce and perhaps
Performing Audit Procedures in Response to Assessed Risks 1781 AU Section 318 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Supersedes SAS No. 55.)
INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction
INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph
SINGAPORE STANDARD ON AUDITING SSA 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS This revised Singapore Standard on Auditing (SSA) 330 supersedes SSA 330 The Auditor s Procedures in Response to Assessed
CHAPTER INFORMATION SYSTEM AUDITING AND ASSURANCE As more and more accounting and business systems were automated, it became more and more evident that the field of auditing had to change. As the systems
United States General Accounting Office This release of the FISCAM document has been reformatted from the January 1999 version. It includes only formatting changes, refers to several different GAO documents,
184 AUDIT PROCEDURES RECEIVABLE AND SALES Ștefan Zuca Abstract The overall objective of the audit of accounts receivable and sales is to determine if they are fairly presented in the context of the financial
Audit Evidence 1859 AU Section 326 Audit Evidence (Supersedes SAS No. 31.) Source: SAS No. 106. See section 9326 for interpretations of this section. Effective for audits of financial statements for periods
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
IAASB Main Agenda (September 2005) Page 2005 1853 Agenda Item 4-D ISA 330 (Redrafted) THE AUDITOR S PROCEDURES IN RESPONSE TO ASSESSED RISKS INTRODUCTION CONTENTS Paragraph Scope of this ISA... 1 Effective
A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors
INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S PROCEDURES IN RESPONSE TO ASSESSED RISKS (Effective for audits of financial statements for periods beginning on or after June 15, 2006) CONTENTS Paragraph
INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING (Effective for audits of financial statements for periods beginning on or after December 15, 2004) CONTENTS Paragraph Introduction...
Examination of an Entity s Internal Control 1403 AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:
Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for
Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements June 12, 2007 AUDITING AND RELATED PROFESSIONAL PRACTICE STANDARDS
A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 5 PROFESSIONAL AUDITING STANDARDS AND THE AUDIT OPINION
INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 330 THE AUDITOR S PROCEDURES IN RESPONSE TO ASSESSED RISKS (Effective for audits of financial statements for periods beginning on or after 15 June 2006)
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
SRI LANKA AUDITING STANDARD 500 AUDIT EVIDENCE (Effective for all the audits carried out on or after.) CONTENTS Paragraph Introduction 1-2 Concept of Audit Evidence 3-6 Sufficient Appropriate Audit Evidence
 Accounting and internal control systems and audit risk assessments (Issued March 1995) Contents Paragraphs Introduction 1 12 Inherent risk 13 15 Accounting system and control environment 16 23 Internal
INTERNATIONAL STANDARD ON 400 RISK ASSESSMENTS AND INTERNAL CONTROL (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph Introduction... 1-10 Inherent
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
Review Questions Chapter 9 The Study of Internal Control and Assessment of Control Risk 9-1 There are seven parts of the planning phase of audits: preplan, obtain background information, obtain information
Accounting 408 Exam 2 Chapters 4-6, E Name Row I. Multiple Choice. (2 points each, 92 points total) Read the following questions carefully and indicate the one best answer to each question by placing a
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
Auditing and Assurance Practice Committee Statement No.82 Practical Guidance for Audits of Internal Control over Financial Reporting October 24, 2007 The Japanese Institute of Certified Public Accountants
Introduction to IT Audit January 23, 2008 Who We Are Randy Roehm Technology Risk Director Jason Brucker Technology Risk Manager Zeb Buckner Internal Audit Consultant Zeb.firstname.lastname@example.org Darcie Allen
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STAFF AUDIT PRACTICE ALERT NO. 11 CONSIDERATIONS FOR AUDITS OF INTERNAL CONTROL OVER FINANCIAL
CGA-Canada Auditing Guideline No. 3 Audit planning and control Introduction Experience has proven that there is a significant, favourable impact in the quality and cost-effectiveness of an audit if major
Certified Information Systems Auditor (CISA) Course 1 - The Process of Auditing Information Systems Slide 1 Course 1 The Process of Auditing Information Systems Slide 2 Topic A Management of the IS audit
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
Audit Sampling 2067 AU Section 350 Audit Sampling (Supersedes SAS No. 1, sections 320A and 320B.) Source: SAS No. 39; SAS No. 43; SAS No. 45; SAS No. 111. See section 9350 for interpretations of this section.
Chapter 5 Planning the Audit Engagement A. Purpose for Planning the Engagement Engagement planning is performed to provide a means for developing an understanding of the business objectives of the auditee,
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...
SOLUTION 1(a) (a) The Auditing guideline points out that the amount or quantity of audit evidence required for the auditor to achieve the level of assurance is a matter of professional judgment. The factors
10-1 Auditing Business Process Auditing Business Process Objectives Understand the Auditing of the Enteties Business Process Identify the types of transactions in different Business Process Asses Control
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,
Comparison of ISA 330 with AS-402 Objectives and Requirements Only International Standard on Auditing 330 (Redrafted): The Auditor s INTRODUCTION Scope of this ISA 1. This International Standard on Auditing
Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation
REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section
PeopleSoft Upgrade Post-Implementation Audit Initially Issued on June 2015 Reissued on October 2015 with the updated management response to the first observation only on page 5 Table of Contents Executive
Chapter 5 Stages of the Audit Process Learning Objectives Upon completion of this chapter you should be able to explain: LO 1 Explain the audit process. LO 2 Accept a new client or confirming the continuance
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN
Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service
REPORT NO. 2012-028 NOVEMBER 2011 AGENCY FOR WORKFORCE INNOVATION UNEMPLOYMENT INSURANCE PROGRAM Information Technology Operational Audit DIRECTOR OF THE AGENCY FOR WORKFORCE INNOVATION Pursuant to Section
January 2004 5(1) Paragraph CHAPTER 5 Table of Contents 5-000 Audit of Policies, Procedures, and Internal Controls Relative to Accounting and Management Systems Page 5-001 Scope of Chapter... 501 5-100
INTERNATIONAL STANDARD ON ENGAGEMENTS 2410 OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY (Effective for reviews of interim financial information for periods beginning
Internal Controls A short presentation from Your Internal Audit Department The Old Internal Audit Department The New Internal Audit Department We re here to help! Teach + Train = Change Our goal: Promote
Case Report from Audit Firm Inspection Results August 2012 Certified Public Accountants and Auditing Oversight Board Table of Contents Introduction 1 Quality Control System 1. Management Systems 3 2. Professional
July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
STANDARD ON INTERNAL AUDIT (SIA) 5 SAMPLING * Contents Paragraph(s) Introduction... 1-2 Definitions... 3-9 Use of Sampling in Risk Assessment Procedures and Tests of Controls... 10-12 Design of the Sample...
Accounting Research Manager - Audit Private Accounting Research Manager Miller Interpretations and Other Resources Knowledge-Based Audit Procedures Chapter 15: Accounts Payable and Purchases Chapter 15:
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
Overall Audit Plan and Audit Program A424: Chapter 13 I. Introduction Chapter is primarily review and integration of the audit framework. II. Types of Tests used to determine fair presentation of financial
POLICY & PROCEDURE DOCUMENT NUMBER: 3.9011 DIVISION: Finance and Administration TITLE: Office of Internal Audit Policy and Procedures DATE: May 27, 2014 Authorized by: K. Ann Mead, Senior Vice President
Our mission is to build relationships and develop innovative solutions which help dynamic people and organizations to create and realize value... IT Controls and COBIT Presentation 2004 Wöll Consulting,
PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board
INTERNATIONAL STANDARD ON 200 OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR AND THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH INTERNATIONAL STANDARDS ON (Effective for audits of financial statements for periods
Advisory Services Antifraud program and * Fraud risks & controls February 2008 *connectedthinking 2008 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers
Section 404 Audits of Internal Control and Control Risk I. Introduction Preparation Questions: Which of the GAAS fieldwork standards requires and understanding of internal controls? What is the difference
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
10 CHAPTER Substantive Tests of Transactions and Balances LEARNING OBJECTIVES After studying this chapter you should be able to: 1 2 identify and distinguish between tests of controls and substantive tests
INTERNATIONAL STANDARD ON AUDITING 500 AUDIT EVIDENCE (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of this ISA...
(STP) Template Items that are intended to stay in as part of your document are in bold; explanatory comments are in italic text. Plain text is used where you might insert wording about your project. This
Report on Office of the Superintendent of Financial Institutions Corporate Services Sector Human Resources Payroll April 2010 Table of Contents 1. Background... 3 2. Audit Objectives, Scope and Approach...
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
Implementation Tool for Auditors CANADIAN AUDITING STANDARDS (CAS) APRIL 2015 STANDARD DISCUSSED CAS 240, The auditor s responsibilities relating to fraud in an audit of financial statements Testing Journal
Article: Control Systems and Controls Testing: General Review By: Paul Lydon, BA, CPA, MBS (Hons), PGCLTHE, FHEA Current Examiner in P1 Auditing The main duty of auditors is to report to the members on
Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda