Académique Documents
Professionnel Documents
Culture Documents
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
PCAOBs AS5
Introduction to ITGC
Information resource planning
IT service delivery
Information systems operations
IT human resources
O
utsourced and third-party activities
Information security management
S ystems development life cycle (SDLC)
B
usiness continuity planning (BCP) and disaster recovery planning (DRP)
D
atabase management and controls
S ystems software support
N
etwork management and controls
H
ardware support
O
perating system management and controls
P hysical and environmental control
E nterprise portals
Identification and authentication
Controls: Application
Application controls are, by definition, automated controls, or
hybrid controls,4 which make sure transactions are properly
initiated, authorized, recorded, processed and reported.
The more the control objective is driven by manual controls
being melded, the higher the failure rate of the control. As IT
professionals know, a fully automated control does the same
thing over and over again. Once it has been tested, and as
long as integrated technologies are unchanged, it will keep
producing the same results as designed.
The IT auditor needs to know when it is appropriate to
include application controls, which controls are relevant, how
to test the control, how to assess its level of reliability and
assurance provided, and how to fit all of that with the overall
audit plan and program. The reviewer will be looking for that
kind of information.
The reviewers checklist for ITGCs would generally look
something like figure 5.
Figure 5Sample Reviewers Checklist for Application Controls
Did the audit engagement team and the IT audit team agree to
specific application software automated controls that are identified
as key controls to be the responsibility of the IT audit team to test?
Did the IT audit team perform appropriate tests of ITGCs over
in-scope application software (i.e., the application software
identified to contain key automated controls, as described previously)?
Did the IT audit team perform testing to verify the design and
operating effectiveness of the identified application software
automated controls, including the use of appropriate sample sizes,
as agreed to with the audit engagement team?
Did the IT audit team work with the audit engagement team
to complete the aggregation analysis of any identified ITGC
deficiencies?
Work Papers/Documentation
All auditors understand that the audit tests and procedures,
and other aspects of the audit program, must be documented.
The body of work papers, in particular, becomes the body of
evidence to support the audit report and findings.
In addition, work papers become a key factor in the review
process. The reviewer usually has not been privy to the daily
information being gathered and handled during the audit
process. Therefore, the reviewer is dependent on a body of
information to pick up and fully understand, for example,
what was done, the results, whether a sufficient body of tests
and procedures was done, and whether the proper
www.isaca.org/itaf
Learn more about, discuss and collaborate on audit
tools and techniques in the Knowledge Center.
www.isaca.org/
topic-audit-tools-and-techniques
conclusions were drawn from the body of evidence. In fact, it
is not uncommon in the first review for the reviewer, who is
generally one level above the team leader internally, to have
a question or need something else done to the evidence or
need something else done for the audit program. In such a
case, this is done with some form of written instructions (i.e.,
notes). When this happens, the process is pushed back to the
team leader to clear up whatever the reviewer requested
usually referred to as clearing notes in a financial audit.
It then goes back to the same reviewer. The efficiency and
effectiveness of this process, including the loop, are highly
dependent on the work papers quality, completeness and
clarity (for readers understanding).
Report
Lastly, there is a report. The report is definitely subject to
review. The report must be in conformity with the entitys
methodology and any technical requirements. It is probably
the most important document to get reviewed.
PROCESS
Some of the process has been explained, but it will flow
something like the following:
Team leader reviews the documentation, work papers and
report before sending it up the review chain.
Someone above the team leader reviews the audit. If
problems or issues are found, the package is returned to the
team leader, who addresses them.
Often, the review then goes to yet another person up the
review chainor parallel to itfor a second review.