Conducting the IT

Audit

AUDIT SISTEM INFORMASI

FEUI
Introduction

Objective
► To have understanding of IT audit lifecycle.
► To give overview of four main type of IT audits.
► To have broad understanding of the logistics of conducting the IT
audits.

Agenda
► Audit standards
► The IT Audit lifecycle
► Types of IT Audit
► Using CobiT to perform an audit
► Summary
► Q&A
Page 2 Conducting the IT Audit
Audit standards

► Statement of Auditing Standards (SASs) from AICPA

► IS Audit Standards, Guidelines and Procedures from
ISACA
► Statement on Standards for Attestation Engagement
(SSAE) from AICPA
► International Auditing Standards from International
Federation of Accountants (IFAC)
► CobiT from ISACA
► SPAP from IAI

Page 3 Conducting the IT Audit

The IT Audit lifecycle

Planning
Planning
Determining what the risks are inherent
Risk assessment in the audit, familiarizing with audit client
and it’s environment, plan for conducting
audit, how the audit will generally be
Prepare audit program conducted including who will staff the
audit.
Gather evidence

Risk assessment
Form conclusions “What can go wrong?”
IT auditors focus on first determining
what the critical support process, then
Deliver audit opinion ask themselves what can possibly go
wrong within those support process.
Follow up

Page 4 Conducting the IT Audit

The IT Audit lifecycle

Planning
Prepare audit program
There is no specific standard audit
Risk assessment program for IT Audit since it must be
customized to client’s hardware and
software, network, etc. A generic audit
Prepare audit program program includes: Audit scope, audit
objectives, audit procedures and
administrative detail such as reporting.
Gather evidence

Gathering evidence
Form conclusions The purpose of filed work is to gather
“sufficient, reliable, relevant and useful
evidence to achieve the audit objectives
Deliver audit opinion effectively. Not all evidence is created
equal, auditors must discern the quality
of evidence they collect during fieldwork.
Follow up

Page 5 Conducting the IT Audit

The IT Audit lifecycle

Planning
Forming conclusions
It is auditor’s job to evaluate the
Risk assessment evidence and form conclusions also to
identify any reportable conclusions.
Reportable conditions are usually
Prepare audit program compiled in Management Letter. The
conclusions should never be a surprised
to management personnel.
Gather evidence

The audit opinion

Form conclusions There is no standard audit report. Some
types of IT audits have special criteria for
what is to be included in audit reports.
Deliver audit opinion Guidance for general items to be
included in the report is provided by
ISACA guideline.
Follow up

Page 6 Conducting the IT Audit

The IT Audit lifecycle

Planning

Risk assessment

Prepare audit program Following up

After communication of audit result, the
Gather evidence
auditor will make provisions to follow up
with the client on deficiencies found
during the audit. For example if its
Form conclusions significant, auditor may plan to revisit
the issue in 30 days. Follow up may
take in the form of telephone call to
Deliver audit opinion management or other additional audit
procedures to satisfy all parties that
management has corrected a material
Follow up
internal control weakness.

Page 7 Conducting the IT Audit

Types of IT Audit

1 2
Attestation Findings and
recommendation

3 4
SAS 70 Audit SAS 94 Audit
(SSAE 16)

Page 8 Conducting the IT Audit

Types of IT Audit:
Attestation 1
Attestation

In attest engagement, the auditor provides

assurance on something for which the client is responsible.

Examples of attest procedures:

1. Data analytic reviews
2. Commission agreement reviews
3. Webtrust engagements
4. Systrust engagements
5. Financial projections
6. Compliance reviews

Page 9 Conducting the IT Audit

Types of IT Audit:
Findings and recommendation 2
Findings and
recommendation
A findings and recommendation report includes
most reviews that would be considered “consulting” or
“advisory” services. Example of engagements include:
system implementations including ERP implementations,
security reviews, database application reviews, project
management and IT internal audit services.

A findings and recommendation reports doesn’t produce an

opinion. Rather it is a summary of the work performed in
connection with the engagement.

Page 10 Conducting the IT Audit

Types of IT Audit:
SAS 70 Audit 3
SAS 70 Audit
(now SSAE 16)
Companies often outsource applications such
as accounting, payroll, e-commerce, and other computer
services to 3rd party service providers. When the company
hiring this services (“user organization”) undergoes its
annual audit, its external auditor may want assurance as to
the controls in place at the service providers.

If these service providers has undergone SSAE16 audit,

they can provide its auditor’s report (called Service Auditor’s
Report) to the “user organization” and all of their other
clients.

Page 11 Conducting the IT Audit

Types of IT Audit:
SAS 94 Audit 4
SAS 94 Audit

A SAS 94 audit may involve any or all of the

following six steps:
1. Physical and environmental review
2. System administration review
3. Application software review
4. Network security review
5. Business continuity review
6. Data integrity review

Page 12 Conducting the IT Audit

Using CobiT to perform an audit

The CobiT framework consist of 6 interrelated components:

1. Executive summary
2. Framework
3. Control objectives
4. Management guidelines
5. Implementation toolset
6. Audit guidelines
CobiT defines IT processes within four domains: PO, AI, DS
and ME. An audit conducted using CobiT does not vary from
the IT audit lifecycle, the only difference is the development
of the audit program. If there is an audit program, the IT
auditor can map CobiT audit procedures back to the audit
objectives and procedures already in place.
Page 13 Conducting the IT Audit
CobiT framework

Page 14 Conducting the IT Audit

Using CobiT to develop an Audit Program

Describe the Using CobiT’s

Perform risk
exposures that Audit
assessment to Select the
may result from Guidelines,
determine appropriate
failure to enumerate the
appropriate high detailed control
achieve each audit
level control objectives
identified control procedures to
objectives
objective be performed

Page 15 Conducting the IT Audit

Summary (1/2)

1. All IT audits follow a certain progression called “IT audit

lifecycle”.
2. There are four main types of IT audits: Attestation,
Findings and recommendation, SAS 70 Audit, SAS 94
Audit.
3. Main difference between attestation and findings and
recommendations engagement is specific procedures are
agreed upon vs general abroad advice.

Page 16 Conducting the IT Audit

Summary (2/2)

4. SAS 70 Audit is designed to provide assurance of a

company’s internal controls around a service provided to
others.
5. SAS 94 audit takes place as a part of regular financial
audit.
6. All IT audits follow a certain progression called “IT audit
ISACA’s CobiT Framework, Control Objectives and Audit
Guidelines can be used to design an audit program.

Page 17 Conducting the IT Audit

End – Q & A

Thank You