An Information Technology Audit or IT Audit is an evaluation of a company's technical infrastructure, technical processes/policies, management controls, technical support, and technical applications to protect the company's policies and processes. These processes must align with a standard of established policies and support the company's specific technical goals.
Planning by mapping to relevant standards
Adjust for audit scope and objectives
Prioritize controls and align to budget
Walkthrough Controls
Test Controls
Consolidate, Report and Present Results
The Planning phase is the first initial step of starting the audit and it is important because it sets up the framework of the audit. This step involves verifying and examining mandatory requirements. The audit’s agenda should reflect the industry regulations/rules and guidelines.
This information can be gathered by Inquiring of management, reading organization publications, annual reports, past audits (if available) and analytical documents.
Adjust for audit scope is the second step of the audit process. It is important to know the initial scope of the audit and the audit’s objectives. Scope refers to the boundaries of the audit. The audit’s scope may increase or decrease due to the changes of the audit or changes to the organization’s structure and IT controls.
Risk Assessment is identifying risk, assessing risk, and taking steps to reduce risk.
IT auditors have access to risk assessment resources to calculate risk, policies, procedures, practices, and organizational structures that are implemented by management. Policies, procedures, practices, and organizational structures are called internal controls.
The third step of the audit process is to prioritize controls and align to budget. This step begins with a preliminary analysis by identifying existing controls and potential weaknesses. Each existing control must be inspected.
Inherent and residual risk must be considered when examining each control because it helps prioritize the areas requiring the most attention and budget.
Walkthroughs assess the overall risk of material misstatement to the controls. The purpose of a walk-through is to catch any errors and to observe how the process is working.
The fifth step of the audit is to test the controls. IT controls are often described in two categories: IT general controls and IT application controls.
Controls that are around the IT’s general infrastructure.
Controls that are inside the IT’s general infrastructure.
If the answer is no to any of the questions above, the control was not effective.
Inquiry
Observation of documentation
Examination
Re-Performance
Computer Assisted Audit Technique
The fifth and last step of the audit process is to consolidate, report, and present the results. A comprehensive examination is done. This examination covers the integration in the enterprise resource monitoring framework, the overall governance, roles, and the level of IT risk within the organization. Opinions can be prepared for each tested control objectives. If there are any opinions or objections that are related to a specific tested control objective, the auditor needs to provide reasons why to management and the reasons for passing/failing the sections, highlight any weak points, and explain potential impacts on the organization.
Application Controls: Controls that are inside the IT’s general infrastructure.
General Controls: Controls that are around the IT’s general infrastructure.
Internal Controls: Policies, procedures, practices, and organizational structures are called internal controls.
Inherent: Existing in something as a permanent, essential, or characteristic attribute.
Residual Risk: The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.
Scope: Boundaries of the audit.
“Five Steps for Effective Auditing of IT Risk Management.” ISACA,
Grant Thornton IT Audit Manual pdf.
