THE AUDIT PROCESS

INTERNAL CONTROLS
Internal controls, are mechanisms that ensure proper functioning of processes within the company. Types of Internal Controls
Preventive Controls Detective Controls Reactive Controls (aka Corrective Controls)

INTERNAL CONTROLS
Internal Control Examples.
Software Change Controls Access Controls Backups and Disaster-Recovery Plans

DETERMINING WHAT TO AUDIT

Creating the Audit Universe
Centralized IT Functions Decentralized IT Functions Business Applications

DETERMINING WHAT TO AUDIT

Ranking the Audit Universe
Known issues in the area Inherent risk in the area Benefits of performing an audit in the area Management input

THE STAGES OF AN AUDIT

Planning
Fieldwork and documentation Issue discovery and validation Solution development Report drafting and issuance Issue tracking

PLANNING
The goal of the planning process is to determine the objectives and scope of the audit.

Basic sources that should be referenced as part of each audits

planning process:
Hand-off from the audit manager Preliminary survey Customer requests Standard checklists Research

PLANNING
Research Assessment Scheduling Kick-off Meeting

FIELDWORK AND DOCUMENTATION

The bulk of the audit occurs during this phase.
Now, the team is acquiring data and performing interviews that will help team members to analyze the potential risks and determine which risks have not been mitigated appropriately. Test things

FIELDWORK AND DOCUMENTATION

The goal should be to document the work in enough detail so that a reasonably informed person can understand what was done and arrive at the same conclusions as the auditor. First, it is needed to meet the standards of the profession. Second, it is possible that in the future the findings of the audit

may be questioned or .

FIELDWORK AND DOCUMENTATION

Third, if the audit is performed again someday, retaining detailed documentation will allow the next audit team to learn from the experience of the previous audit team, thereby allowing for continuous improvement and efficiency. Heres what I did. Heres what I found. Heres my conclusion.

Heres why I reached that conclusion.

ISSUE DISCOVERY AND VALIDATION

While executing fieldwork, auditors will develop a list of potential

concerns. This is obviously one of the more important phases of the

audit, and the auditor must take care to scrub the list of potential issues to ensure that all the issues are valid and relevant. In the spirit of collaboration, auditors should discuss potential issues with the customers as soon as possible.

SOLUTION DEVELOPMENT
Three common approaches are used for developing and assigning action items for addressing audit issues:
The recommendation approach The management-response approach The solution approach

Guidance on Solution Development

REPORT DRAFTING AND ISSUANCE

It serves two main functions:
For you and the audit customers, it serves as a record of the audit, its results, and the resulting action plans. For senior management and the audit committee, it serves as a report card on the area that was audited.

Essential Elements of an Audit Report

Statement of the audit scope Executive summary List of issues, along with action plans for resolving them

SIMPLIFIED EXAMPLE OF AN AUDIT REPORT

AUDIT SCOPE
During this audit, we reviewed the internal controls within the corporate accounts receivable (AR) system. This included a review of controls within the application and its related database and operating system. Physical security of the AR system server was not included in the scope of the review because those controls were tested during a recent audit of the data center.

SIMPLIFIED EXAMPLE OF AN AUDIT REPORT

EXECUTIVE SUMMARY
Strong controls were in place over account administration, but a number of control concerns were found related to software change controls. The most significant of these issues is the fact that developers have direct access to production code. This means that these programmers can alter production code functionality without going through proper testing and approval. The development team has developed an action plan for addressing this concern, which will result in their access being removed from the production environment. Further details are found in the Issues section below.

SIMPLIFIED EXAMPLE OF AN AUDIT REPORT

AUDIT ISSUES
1. Developers have direct access to update production code.
No technical or procedural controls are in place to prevent application support personnel from making unauthorized changes to the system. Risk: Without proper software change controls, changes could be made to the application, either unintentionally or maliciously, that have not been approved and/or that have not been tested properly. These code changes could result in inaccurate system processing, the ability of an employee to execute fraudulent transactions, or system unavailability. Solution: The AR system team will implement a baseline tool for protecting the production code. The ability to check new code into this tool will be limited to the groups manager and a backup, neither of whom has responsibility for performing code changes. Once this tool is implemented, the team will document procedures requiring approval and testing prior to submitting new production code for check-in. Responsible: Clark Kent Completion Date: xx/xx/xx

SIMPLIFIED EXAMPLE OF AN AUDIT REPORT

AUDIT ISSUES
2. The default umask on the server is set to 000.
Risk: This means that, by default, when a new file is created, its file permissions are set so that anyone with access to the server will be able to read and write to the file. Since this server contains critical financial data files, this could result in inappropriate access and/or unauthorized changes to the data. Solution: Nolan Ryan from the Unix infrastructure team will reset the default umask to 027 on the affected servers in the environment. Additionally, the Unix baseline documentation will be updated to include checking the default umask value prior to placing new systems into production. Responsible: Nolan Ryan Completion Date: xx/xx/xx

REPORT DRAFTING AND ISSUANCE

Additional Elements of an Audit Report
Key Controls Closed Items Minor Issues

Distributing the Audit Report

Consider seeking permission from senior management to allow you to issue reports only to the lower level management of the group being audited

REPORT DRAFTING AND ISSUANCE

You can compensate concerned that this will result in significant issues going unaddressed with a few additions to the process:
Send the executive summary section of each audit to senior management. Assure senior managers that if any issue is not resolved in a timely manner, you will escalate it to them. Assure senior managers that you will let them know about any particularly material or pervasive issues

ISSUE TRACKING
The audit is not truly complete until the issues raised in the audit

are resolved, either by being fixed or by being accepted by the

appropriate level of management The auditor shouldnt wait until the point is due or past due before contacting the customer, but instead should be in regular contact regarding the status of the issue