[toc-this]
Principles
Auditors of the ECA can audit the IT systems of EU Institutions and member states (MS) involved directly or indirectly in the management of EU funds.
Information technologies in the EU context are not very significant themselves in budgetary terms however they play a key role in the management of the EU Institutions and the implementation of the EU budget.
IT audit at the ECA can be used to achieve the following audit goals:
- Get assurance that the data managed with IT systems, which are part of the audit scope, are exhaustive, complete and reliable (as part of financial or performance audit).
- Get assurance that IT controls comply with the relevant regulations (as part of legality and regularity financial audit).
- Assess the maturity of IT controls and the efficiency, effectiveness and economy of the IT function (as independent IT audit, or as part of performance audit).
The methodology for auditing in an IT environment varies according to whether the objective is a financial, performance or IT audit. For illustrative purposes, this page focuses on the task of financial audit in an IT environment.
Instructions
In carrying out IT audit work, auditors are required to respect the general principles of the ECA’s audit approach.
In the same way as any other audit work, IT audit should be executed, documented, supervised, and subject to [link title="quality%20management%20procedures" link="%2Faware%2FGAP%2FPages%2FQuality-management.aspx" /]
in accordance with the ECA's audit methodology.
Auditing in an IT environment
IT risks and controls in the internal control framework
The procedures for initiating, recording, processing and reporting transactions and recording the corresponding assets and liabilities are usually implemented within IT systems. Given, therefore, that financial data are predominantly electronic data, financial and administrative controls are also increasingly electronic in nature.
The storage and processing of information in IT systems introduces new risks and possible control weaknesses, owing mostly to the ease with which data and the IT systems themselves can be modified.
IT systems are one of the five components of the internal control framework, the [link new-window title="Coso%20framework" link="https%3A%2F%2Fwww.coso.org%2FPages%2Fguidance.aspx" icon="external-link" /]
, and key IT controls should be in place to mitigate the IT-related risks and thus ensure the confidentiality, availability and integrity of data and the efficiency and effectiveness of business processes.
Examples of risks and their IT sources:
Risk
|
IT-related risk source
|
Individual errors become systematic
|
Automation replacing manual operations
|
Failure to identify the performer of the transaction
|
Electronic transactions not logged
|
Unauthorised access and changes to data
|
Electronic data not properly secured
|
Loss (destruction) of data
|
Electronic data not protected (backups and archiving)
|
Disclosure of confidential information
|
Electronic data not properly secured
|
Control weaknesses undetected
|
IT risks and controls not (adequately) considered in audit
|
The use of IT systems in business processes changes the nature of [link title="audit%20evidence" link="%2Faware%2FGAP%2FPages%2FAudit-evidence.aspx" /]
, the audit trail and the internal control environment. It also creates vulnerabilities to [link title="irregularities" link="%2Faware%2FCA%2FPages%2FConcepts%2FConcept-of-legality-and-regularity.aspx%23Regularity" /]
and fraud, and audit procedures are therefore necessary in order to deal with these challenges.
Where accounting or other information systems are computerised, the auditor determines whether internal controls are functioning properly to ensure the integrity, reliability and completeness of the data.
Audit objectives
The audit of controls on IT systems should have specific objectives, including verification of the accounts or other data produced by the system (e.g. data extracted for sampling purposes). The evaluation of internal controls should vary according to the type of audit and the degree of reliance the auditor wishes to place on them.
Reliability of data
When IT systems data are an important part of the audit and data reliability is crucial to accomplishing the audit objective, auditors should satisfy themselves that the [link title="data%20are%20reliable" link="%2Faware%2FGAP%2FPages%2FSpecific%2FAuditee-data-collection.aspx%23Before-asking-for-data" /]
and relevant.
Data produced, stored or provided to the auditor by means of IT should not be treated as reliable until the auditor has convincing [link title="evidence" link="%2Faware%2FGAP%2FPages%2FAudit-evidence.aspx" /]
that this is the case. The quality of the data received from the auditee may significantly influence whether or not the audit objectives are achieved.
Evidence for the reliability of the computerised data provided by an auditee may come, depending on the nature of the data, from assurance that internal controls on IT are functioning securely and correctly, from cross-checking of the data (e.g. by reconciling them with data from other sources), or from a combination of the two.
The absence of appropriate IT controls may give rise to conditions and events indicating a risk of [link title="material" link="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2FMateriality.aspx" /]
misstatement. This in turn would influence the nature, timing and extent of subsequent IT-related audit procedures.
Use of IT audit in financial audit
The objectives of IT audit in the context of a financial audit include:
- Understanding the overall impact of IT on key business processes;
- Assessing management controls on IT processes;
- Understanding how the use of IT for processing, storing and communicating information affects internal control systems, inherent risk and control risk;
- Evaluating the effectiveness of controls on IT processes which affect the processing of information.
Use of IT audit in performance audit
IT audit may be used in the context of a performance audit when:
- The audit focuses on the performance of IT systems;
- The audit examines the efficiency and effectiveness of a business process and/or programme where IT is a critical tool for the organisation delivering those services;
- Data reliability is to be assessed.
Typical IT audit work at the ECA
IT audit work at the ECA occurs mainly in the context of:
- Financial audits: reviewing key general controls and related application controls on information systems;
- Compliance audits: reviewing whether IT controls comply with rules and regulations, usually the Financial Regulation (FR) and Internal Control Standards (ICS);
- Specific IT audits: when the main audit objective is linked to the effectiveness and efficiency of IT.
The IT Audit Approach
IT audit steps necessary to plan and implement audits:
Planning phase
The objective of the planning phase is to identify risks that are relevant to the audit goals and determine which controls will be assessed during the execution phase:
- General controls (as for the IT control environment);
- Application controls (in IT applications of relevance to financial management).
Obtain background information
During the planning phase it is important for the auditor to obtain an understanding of the auditee's IT systems, an inventory of the auditee’s IT systems and resources (IT budget and staffing, IT organisation, software and hardware) and a statement of the concerns arising from previous internal or external audits of IT systems.
Identify IT systems of relevance to financial management
IT systems for accounting and financial reporting comprise procedures and databases for initiating, recording, processing and reporting transactions and recording the auditee's corresponding assets and liabilities.
The auditor must identify which IT applications are important in the context of financial reporting and business management and obtain sufficient information and understanding in their regard.
In order to facilitate the evaluation of risks and the planning of IT audit tasks, the auditor should document:
- which IT applications feed into the financial statements;
- which transactions are processed through IT applications;
- which areas of the accounts (such as administrative expenditure) are subject to IT systems.
Assess the complexity of the IT systems
The purpose of assessing the complexity of IT systems is to:
- Identify risks - complex systems are more risky than simple ones;
- Decide whether there is a need for external assistance. In principle, auditors are competent to carry out IT audit tasks in relation to simple systems, with the IT audit team providing support in the audit of more complex systems.
The following factors will influence this assessment:
- Hardware and network complexity;
- IT applications and data entry methods;
- IT organisation;
- The presence of systems under development or recently subject to change;
- The sensitivity of the processed data;
- Any specific difficulties affecting the audit trail;
- The auditor’s technical knowledge and skills.
Preliminary risk assessment
Using all the information obtained in the previous steps, the auditor will then make a preliminary risk assessment.
Just as in the more general audit context, internal control in IT comprises two elements:
- the internal control environment, i.e. the overall attitude, awareness and actions of management;
- internal control procedures, i.e. procedures complementary to the control environment which contribute to the entity’s achievement of its objectives.
Please note that the overall assessment of control risk should not be superior to the assessment of the internal control environment, since even excellent control procedures can be undermined by a poor control environment.
Identifying the risk of material misstatement
The auditor should be aware of conditions or events that may indicate a risk of [link title="material" link="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2FMateriality.aspx" /]
misstatement consequent upon the use of IT. The following is a non-exhaustive list of factors that should be considered, when performing the preliminary risk assessment, as contributing to the risk of material misstatement:
- Changes in the IT environment;
- Installation of significant new IT systems;
- Insufficient controls on the transfer of data between IT systems;
- Inconsistency between the entity’s IT and business strategies.
Output of the risk assessment
The auditor should:
IT audit work in the task plan
The results of the planning phase (steps 1-4) should be stated in the [multi-link title="task%20plan" link_1="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2Ftask-plan-audit-programme.aspx" title_1="Compliance%20and%20financial" link_2="%2Faware%2FPA%2FPages%2FPlanning%2FTask-plan.aspx" title_2="Performance" /]
.
Technical expertise and necessary skills and resources not available in-house, should be sought and organised externally to collect the required [link title="audit%20evidence" link="%2Faware%2FGAP%2FPages%2FAudit-evidence.aspx" /]
. This assistance should be planned at the preliminary stage of the audit, in coordination with the DQC IT audit team.
Execution phase
What are general controls?
General controls relate to the environment within which automated application systems are developed, maintained and operated. They are concerned with IT-related policies, procedures and working practices.
They are used to ensure the proper development, implementation and maintenance of all automated applications and the integrity of data files. They therefore minimise risks to the functioning of the organisation's IT systems and infrastructure and specific risks to applications.
General controls include:
- IT governance and management controls: are high-level controls designed to provide a formal IT governance framework aligned with the business strategy. IT strategic planning and monitoring, IT policies and procedures, IT roles and responsibilities, the segregation of duties, IT risk, project and investment management, and legal and regulatory compliance can all be considered IT governance and management controls;
- Data management controls ensure that data are properly stored, archived and disposed of. They also help ensure the reliable production of financial and management information;
- Business continuity planning addresses the scenario of a computer systems breakdown and concerns the organisation’s arrangements for protecting data and continuing or restarting operations in that situation;
- Information security controls help organisations establish and maintain IT security roles, responsibilities, policies, standards and procedures. They include logical access controls aimed at ensuring that data can only be seen or altered by authorised persons, inside or outside the organisation, and in accordance with data protection requirements. Information security controls are also concerned with preventing unauthorised access to and interference with IT systems;
- Change management controls provide assurance that systems and controls continue to function as designed;
- Outsourcing controls: Given that more and more organisations now prefer to outsource IT services, it has become crucial to manage service-level agreements. Depending on the scope of outsourcing, inappropriate management could be detrimental to the IT areas subject to control.
Review of general controls
The most important criterion for the information when reviewing general controls in financial audit is integrity (reliability), which relates to audit assurance that the information is valid, accurate and complete. In a performance audit, the most important aspects may be [link title="efficiency" link="%2Faware%2FPA%2FPages%2FConcepts%2FEfficiency.aspx" /]
and [link title="effectiveness" link="%2Faware%2FPA%2FPages%2FConcepts%2FEffectiveness.aspx" /]
.
The effectiveness of IT controls will depend on the strength of the general controls. If the auditor concludes that the general controls are effective, he should then assess the effectiveness of application controls. However, ineffective general controls will render application controls ineffective (or severely limit their effectiveness) since they act as a foundation on which specific application controls are built . Application controls are to be considered ineffective when, for instance, the necessary logical or physical access controls are not functioning adequately.
The auditor must consider the cost of obtaining audit evidence. A full audit of general controls can require substantial technical resources. However, adequate assurance can usually be obtained from a more limited examination in the light of the risk assessment performed during the planning phase, and by drawing on other sources of information.
The [link title="checklist%20for%20general%20controls" link="%2Faware%2FDocuments%2FIT-general-controls-checklist.docx" icon="file-word-o" /]
provides guidance for reviewing general controls through a set of close-ended questions that are mainly concerned with the most significant control objectives in relation to data reliability and the IT control environment. The checklist will help auditors check the main IT control objectives, which are based on the [link title="COBIT%20framework" link="https%3A%2F%2Fwww.isaca.org%2Fresources%2Fcobit" icon="external-link" /]
in reference to the EU's regulatory framework and information criteria.
Auditors should conduct their examination using the refined [link title="checklist%20for%20general%20controls" link="%2Faware%2FDocuments%2FIT-general-controls-checklist.docx" icon="file-word-o" /]
that was obtained at the end of the planning phase.
If the auditor concludes that the general controls are not functioning effectively, the application controls will generally also be ineffective. The auditor should review the application controls only if the general controls are effective.
What are application controls?
Application controls, which may be manual (performed by users) or automated (performed by computer software), are procedures that apply to the processing of transactions by individual applications and are designed to ensure the integrity and confidentiality of data.
Application controls relate to procedures that are used to initiate, record, process or report transactions or other financial data. They help ensure that transactions were duly authorised and completely and accurately recorded and processed.
The main objectives of application controls are:
- Completeness – the application processes all transactions, and the resulting information is complete;
- Accuracy – all transactions are processed accurately and as intended, and the resulting information is accurate;
- Validity – only valid transactions are processed, and the resulting information is valid.
- Authorisation – only duly authorised transactions are processed;
- Segregation of duties – the application provides for and supports appropriate segregation of duties and responsibilities as defined by management.
These objectives are targeted using six main types of application control ([link title="COBIT" link="https%3A%2F%2Fwww.isaca.org%2Fresources%2Fcobit" icon="external-link" /]
):
- System documentation controls;
- Input controls;
- Processing controls;
- Output controls;
- Data transmission controls;
- Standing data and master file controls.
Review of application controls
The audit of application controls is not necessarily highly technical. Many applications are designed to give definite assurance to management that data and processing are in order, without the need for IT experts. In such cases, the checks and procedures (including manual procedures) routinely carried out by regular users may give satisfactory assurance that data and output are reliable. This level of assurance will also be adequate for auditors – except in the case of specific IT audits (network performance, penetration tests, security issues, user rights, change management, technical documentation, etc.).
Application controls on systems should be audited in accordance with the risk assessment performed during the planning phase, focusing on systems which have a direct impact on financial data and are more material to the audit objective. For instance, compared with an accounting application, a document management system may have only an indirect impact on financial data.
Manual and automated application controls
Automated application controls which are embedded in an application reduce the risk of human error or manipulation of information and are therefore more reliable than manual controls. Once properly established, automated application controls are reliable until the next change to the program takes place. Efficient general controls will lead to more reliance on automated rather than manual application controls.
Where manual application controls are in place, the auditor should assess arrangements for user cross-checking in the form of a manual comparison of computer-processed data with the source documents.
When checking application controls on the systems identified during the planning phase, the auditor may make use of the general framework in the [link title="list%20of%20application%20controls" link="%2Faware%2FDocuments%2FIT-application-controls-checklist.docx" icon="file-word-o" /]
.
In the case of robust IT systems (e.g. ABAC, SAP), the auditor should identify other application controls in accordance with the financial regulatory framework after evaluating the complexity of the application and the related IT risks.
Remember that application controls on robust IT systems should be reviewed when auditing the owner of the system rather than other users (Agencies, joint undertakings, etc.).
Reporting phase
Following the assessment of IT controls the findings should be documented, with a general conclusion on the effectiveness of IT controls, in accordance with the ECA's audit methodology.
Document findings
The auditor should document each significant finding, with a statement of the regulatory framework, facts, conclusion and IT risks.
Auditors should explain each control weakness in relation to the IT risks. They should also determine which areas of the accounts could be negatively affected by a control weakness.
Overall assessment
In addition to the individual findings, the auditors should reach an overall conclusion about IT controls.
The assessment may lead to three possible conclusions in the context of the financial audit:
- IT controls functioned effectively, consistently and continuously during the period under review;
- weaknesses are noted in the effectiveness and continuity of IT controls, but the overall system is considered reliable;
- IT controls are unreliable, i.e. they did not function as expected and/or they did not function continuously during the period under review and/or they could not be tested.
Resources
[icons-list icon-size="2" separator="line" icon-vertical-alignment="middle" vertical-alignment="middle"]
[icon-list-item title="Checklist%20of%20general%20controls" description="" link="%2Faware%2FDocuments%2FIT-general-controls-checklist.docx" icon="file-word-o" /]
[icon-list-item title="Checklist%20of%20application%20controls" description="" link="%2Faware%2FDocuments%2FIT-application-controls-checklist.docx" icon="file-word-o" /]
[icon-list-item title="IT%20audit%20glossary" description="" link="%2Faware%2FDocuments%2FIT-audit-glossary.docx" icon="file-word-o" /]
[/icons-list]
[/toc-this]