Deciding to perform an IT audit
Show/hide Sharepoint toolbar
Toggle navigation
Menu
Home
General
Currently selected
Compliance
Concepts
Planning
Examination
Reporting
Financial
Concepts
Planning
Examination
Reporting
Performance
Concepts
Planning
Examination
Reporting
More
Review
Opinion
Tools
How To ?
Page index
Resources
Terms
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Deciding to perform an IT audit
Page Content
Deciding to perform an IT audit
The IT auditor decides whether to audit IT systems which have an impact on the objectives of the audit by gathering and assessing information on related risks and controls.
Compliance audit
Financial audit
Performance audit
Planning
Ref: 16.701
Please see also pages on
planning an IT audit
and
performing an IT audit
.
Definitions
IT risks
are the risks associated with the adoption, ownership, use, operation, and maintenance of IT systems, representing the threats and vulnerabilities associated with these systems.
IT controls
are the policies, procedures, practices, activities, tools, mechanisms, or other techniques used by an entity to manage IT risks, and can be of an administrative, technical, management or legal nature.
IT audit
is the examination of IT controls to identify instances of deviation from criteria, including assessing compliance with policies and procedures, laws, regulations, contracts and guidelines, the confidentiality, integrity and availability of data and information and the efficiency and effectiveness of IT operations.
Principles
An experienced IT auditor carries out an initial assessment of IT risks which affect the objectives of the audit. The IT auditor is usually from the IT audit team but can also be an auditor from the chamber who has the appropriate training.
When deciding whether to perform an IT audit, we identify and document all the components of the IT environment, the IT systems and subsystems that affect the area we are auditing, and we evaluate the extent of their impact on the audit objectives.
We gather information about the IT risks relevant to our audit, and the controls established to mitigate them, to obtain an overview of how the auditee manages IT risk and how this can impact the audit.
We assess the IT systems’ importance, complexity and associated risks, and determine which are most critical to the audit.
Based on the outcome, we decide whether to perform an IT audit or a review of the minimum IT controls, assess the level of expertise we will require, and provide this information to the audit team for inclusion in the task plan.
Instructions
The auditee's IT environment
To obtain an
understanding of the audit area
and/or of the
entity and its environment
, identify and document all the components of the IT environment for the auditee’s processes:
obtain information on the role of IT in the organisation and how it helps the auditee achieve its objectives;
understand how the IT department and operations are organised and identify key IT roles in the organisation;
understand where responsibility for managing the IT systems used by the auditee lies;
identify the key processes, information flows and transaction flows which are relevant to the area being audited; and
collect information on the key IT controls in place.
IT systems relevant to the audit
To identify the IT systems that impact the audit, and to which extent, consider the following:
for a financial audit, identify the IT systems involved in preparing the financial statements, especially those used for accounting operations, and which may be associated with a risk of material misstatement. Examples of such systems could include accounting systems, payroll systems, banking/payment systems, business intelligence systems, robotic process automation systems etc.;
for a compliance audit, identify the IT systems the auditee uses to comply with applicable laws and regulations, policies and procedures. Such systems could include workflow management systems, decision support systems, data collection and data processing systems, reporting systems etc.; and
for a performance audit, identify the IT systems which are part of the
internal control system
of the auditee with a direct or indirect impact on performance. In addition, consider assessing the impact of the systems on the
reliability of data
to be used as evidence, understand the relevant dataflows and identify the IT systems involved in the collection, processing, reporting, and dissemination of data.
Consult previous ECA reports, audit programmes, policy scans, subject briefs, internal presentations, information on the auditee that is publicly available, or ask the auditee directly, for example in interviews or by checking the inventory of IT systems.
Assess the impact these systems and sub-systems have on the objective of the audit. For complex systems use the Identification of IT systmes tool to document your understanding of each system’s purpose and assess their impact on the audit objective(s). This can help you determine which of the systems to prioritise.
IT risks identified by the auditee
For background information on levels of IT risk associated with IT systems, review the most common IT risks.
Determine whether the auditee systematically identifies, assesses, responds to, and monitors IT risks using processes that are aligned with international standards and best practice such as the
ISO/IEC 27005 - Information security, cybersecurity and privacy protection - Guidance on managing information security risks
and the
NIST
special publications
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
and
SP 800-39, Managing Information Security Risk
.
If possible, obtain the auditee’s most recent IT risk registry and IT security plan.
IT controls in place
Obtain an overview of the IT controls set up and operated to address each of the specific IT risks for the IT system under review.
IT controls can exist at several levels within the auditee:
IT governance controls
: these controls form the IT control environment, setting the tone and culture of IT in the organisation. These controls describe how IT is viewed by, and integrated into the structure and functioning of the auditee’s strategies, policies, procedures, risk assessment, resource management, training, ethics, quality assurance and internal audit.
General IT controls
: controls in place for the auditee’s IT activities, which apply to all IT systems. These provide a reliable environment for IT applications to be developed, operated, managed and maintained, and are embedded within IT processes such as application development, access management, change management as well as safeguards built into routine IT operations such as backup and maintenance of the IT infrastructure.
Application controls
: these are embedded within applications and directly support the processes under review. For example, for a financial reporting application, application controls could include restricting access to specific transactions, prohibiting the recording of unauthorised transactions or manual reconciliations.
ISA 315, Appendix 6: Considerations for Understanding General IT controls provides further details that can be considered.
At a minimum, identify and understand the following categories of controls implemented by the auditee:
IT governance;
change management;
information security;
business continuity; and
third-party providers and outsourcing.
Design and implementation of IT controls
The criticality of the IT system
The criticality of an IT system is the combination between its importance for the audit, its complexity and the potential impact of IT risks associated with the system. The criticality of a given IT system can vary from one audit to another, depending on its importance for the audit objectives and risks associated with it.
Consider the following:
state of digitalisation of the auditee
: the more the processes depend on IT, the higher the IT risk;
importance of the IT system to the organisation
: the greater the impact of a potential system failure on the organisation overall, the higher the IT risk;
relevance of the IT system to the audit
: if the processes you are auditing are highly automated, this increases the level of IT risk;
accessibility to the public
: systems that are directly accessible from the internet are more likely to face security risks;
interfaces with other systems
: interfaces and interdependencies with other systems increase the IT risk;
certifications and accreditations
: certified and accredited systems can provide assurance on some elements of IT risk;
previous IT audits
: recent IT audits can provide assurance regarding elements of IT risk; examine carefully the scope of these IT audits to ensure that the relevant areas are covered;
IT security risk assessments
: if a system has recently undergone an IT security risk assessment and findings are being addressed, cyber and information security risks are significantly reduced;
system development
: commercial off the shelf systems with low customization levels are typically less risky than systems developed in-house;
sensitivity of processes and data
: if the system handles sensitive processes and data, the likelihood of a data breach is higher, and will have greater impact; and
emerging technologies
: if the system is highly dependent on emerging technologies, that have not been fully evaluated and tested, the risk of the system not performing as expected will increase.
To perform the IT criticality assessment you can use the IT criticality assessment tool to help you quantify the impact of the factors above.
For each IT system under review, conclude on whether:
it is
not critical
for achieving the audit objectives or there are
no significant IT risks
affecting the audit (low criticality);
several IT risks exist
, and IT control failures may affect the audit objective (medium criticality); or
several significant IT risks exist,
the audit is highly dependent on the use of technology, or IT control failures significantly affect the audit objective (high criticality).
Based on the level of criticality of the IT system under review apply the set of minimum IT controls to assess whether there is
sufficient and reliable evidence
on the existence and effectiveness of these controls.
Whether to perform an IT audit
Based on the information you have gathered and the level of criticality of the IT system (low, medium, high) decide together with the audit team and the hierarchy how to address the IT risks. As a guide:
if the criticality of the system is
low
or if you have sufficient and reliable evidence on the existence and effectiveness of IT controls, you may decide to not perform any additional procedures;
if the criticality of the system is
low or medium
, and you do not have sufficient and reliable evidence on the existence and effectiveness of IT controls, include in the audit a review of minimum IT controls using the minimum IT controls checklist as a baseline; or
if the criticality of the system is
high
or the criticality of the system is
medium
but you do not have sufficient evidence of the existence and effectiveness of IT controls,
plan
and
perform an IT audit
.
Related documents
Standards
COSO Internal Control – Integrated Framework
COBIT framework
Definitions
Principles
Instructions
The auditee's IT environment
IT systems relevant to the audit
IT risks identified by the auditee
IT controls in place
The criticality of the IT system
Whether to perform an IT audit
Last Modified
: 05/12/2024 15:25
Tags
:
‹
›
×
