1. This appendix highlights a range of important considerations for financial auditing and performance auditing in an IT environment and is not intended to be a substitute for detailed guidelines that SAIs may need to be developed to suit entities IT environment.
2. The approach towards auditing in an IT environment should involve the following inter-related processes:
3. An IT audit is part of the overall audit process. Therefore, it is important to have an understanding of the various types of IT audits that can be conducted. This understanding is required so that the development of audit programs and procedures is appropriately focused and their execution will ultimately satisfy the specific audit objectives. In short, this means collecting and analysing evidence in an IT environment in order to conclude against pre-defined audit objectives.
4. IT audit can be applied in the implementation of financial audits as well as performance audits.
5. The purpose of a financial audit is to express an opinion on the financial statements and financial accountability of public sector entities. The overall purpose of the IT component of a financial audit is to asses the reliability of IT controls that support the processing of financial records. This includes assessing the effectiveness and efficiency of IT controls through evaluating the IT environment to understand how well management uses technology and how pervasive IT is on important business processes.
6. In undertaking an IT audit as a component of a financial audit, the audit approach should be risk based, There are four procedures that should be planned for in developing the approach in order to be able to conclude on the effectiveness of controls over the information technology processes that have a direct impact on the processing of financial information:
7. The IT Auditor, in undertaking an IT audit as a component of a financial audit needs to be aware of a number of risks that organisations face. In taking a risk-based approach, the auditor can focus on those areas that pose the greatest risk to the organization not presenting fair and true financial statements.
8. The purpose of a performance audit is to evaluate the efficiency, economy and/or administrative effectiveness of public sector entities. Performance auditing promotes public accountability and is an aid to good corporate governance.
9. In performance audit, there are two possible roles for IT auditing. Firstly, where the IT is the main focus of audit. Here, the audit objectives include examining an organisation's IT systems and how the organisation is performing against benchmark performance. Secondly, an IT audit as a component of a performance audit, can seek to support the work of a performance audit that is focused on the efficiency and effectiveness of business processes/government programs.
10. Where the IT audit is a component of a performance audit, the auditor may be required to produce an internal report to the performance audit team on how the performance audit team can rely on the IT systems for the remaining aspects of the audit. Furthermore, the IT auditor, whilst in this case will not produce the final audit report, may be responsible for an aspect of the report and as such will need to liaise with the performance audit team.
11. CAATTs have the ability to extract data from commonly used file formats and the tables of most database systems. Thus, these tools can be used during the audits of almost any application on any technology platform. The audit software can perform a variety of queries and other analyses on the data. Some of the features are: data queries, data stratification, sample extractions, missing sequence identification, statistical analysis and calculations. This software also can perform operations after combining and joining files and tables.
12. Prerequisites for Using CAATTs
13. With data volumes growing and management expectations on assurances becoming more specific, random verifications and testing do not yield the desired value. The use of audit software ensures 100 percent scrutiny in exceptionally short time of transactions in which there is audit interest, and pointed identification and zeroing in on erroneous/exceptional transactions, even when data volumes are huge. Another advantage of the audit software is the uniform user friendly interface that the audit software presents to the auditor for performing all the tasks, irrespective of the data formats or the underlying technology used by the application. The audit software also maintains logs of the tests done for review by peers and seniors, and advanced features allow the programming of certain macros and routines that can further enhance audit speeds and efficiency.
14. Objective of audit trail is to obtain sufficient evidence regarding the reliability and integrity of the IT application system. To achieve this, the audit trail should contain enough information to allow management, the auditor and the user:
The audit trail should include the following information:
15. In a computer system, the audit trail may not always be apparent as in a manual system since data are often retained in magnetic media and output is limited to a small number of total items processed, with reports produced only on exception basis. The general procedure is to first investigate control totals and run totals within the whole system and then check and substantiate the audit trail by limited checking through records and files or by taking intermediate printouts of audit interest. If the design of the computer system does not provide for adequate audit trail, this should be brought out in audit review, highlighting control weaknesses or lack of controls in the system. Apart from errors that might creep into the system, there is a possibility of frauds, which might occur due to undetected control weaknesses.
16. INTOSAI / ASOSAI framework for IT Controls evaluation is as under:
- Organizational and management controls
- IT operations’ controls
- Physical access controls
- Environmental controls
- Logical access controls
- Change controls
- Business Continuity and Disaster Recovery controls
- Input controls
- Processing controls
- Output controls
- Master File and Standing Data Controls
17. COBIT is a generally applicable and accepted standard for good Information Technology security and control practices that provide a reference framework for management, users, and information system audit, control and security practitioners. COBIT helps meet the multiple need of management by bridging the gaps between business risks, control needs and technical issues. COBIT is internationally accepted as good practice for control over information, IT and related risks. It is a tool for IT governance. IT governance is a set of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. COBIT enables an enterprise to implement effective governance over the IT that is pervasive and intrinsic throughout the enterprise. In particular, COBIT's management guidelines contain a framework responding to management's need for control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 34 COBIT IT processes. The tools include:
18. COBIT can be extremely useful to the auditors by providing criteria for review and examination, and by providing, through the framework, an approach to improve audit efficiency and effectiveness. COBIT is a framework that can be tailored according to the IT environment of the auditee organization and risk assessment.
19. SAI may use appropriate audit management software (e.g. Teammate) as an audit tool, which may have the following four components:
20. The internet is becoming increasingly important as a research planning, communication and reporting tool. Auditors should be sufficiently familiar with the internet so that they could use it to facilitate the conduct of audits.