|
Conducting Information Systems Audit
By Wale Wahab
Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Several steps are required to perform the audit
1. Planning the audit
This is the step in which the Auditor attempts to gain an understanding of the business and the internal controls used within an organization.
2. Test of controls
This is the step in which the Auditor tests significant controls within a system to evaluate whether they are operating effectively
3. Test of transaction
This is the step in which the Auditor undertakes substantive test to evaluate whether a material loss or account misstatement has occurred or might occur
4. Test of balances or overall result
This is the step in which the Auditor seeks to obtain sufficient evidence to make a final judgment on the extent of losses or account misstatements that have occurred or might occur.
5. Completion of the audit
This is the step in which the Auditor gives an opinion on whether material losses or account misstatements have occurred or might occur.
General audit procedures are the basic steps in the performance of an audit and they usually include the following:
- Obtaining and understanding of the audit area / subject
- Risk assessment and general audit plan and schedule
- Detail audit planning
- Preliminary review of audit area / subject
- Evaluating audit area / planning
- Compliance testing (testing of controls)
- Substantive testing
- Reporting (communicating reports)
- Follow-up
Audit Approach: Risk-Based vs. Baseline
The Auditor should plan his audit strategy to determine the extent of work he wishes to perform on the organization's activities. His audit approach will depend on the size of the organization and level of reliance he wishes to place on the internal control system.
Allocation of audit resources in terms of staff and time also depends on the type of approach embarked upon by the Auditor. Two approaches will be looked upon; the Baseline-Audit approach and the Risk-Based Audit approach.
The base-line audit approach assumes that all the areas to be audited have their own risks and therefore the same weight of resources should be directed to all the areas to be audited. It merely applies a standard set of protection regardless of risk.
Meanwhile, when the Risk-based audit approach is used, it is believed that all areas to be audited have various weights of risks; therefore resources to be directed to these areas should depend on the amount of risk that the Auditor believes is associated with the areas to be audited.
Presently, many organizations use the Risk-Based Audit approach because of its many advantages over the Baseline approach: Advantages such as:
- Cost saving in not over-protecting information
- Reduction of risk by not under protecting information
- Enabling management to effectively allocate limited resources thereby enhancing the maintenance of systems efficiency.
- Establishing a basis for effectively managing the audit department
The Risk-based approach will ultimately ensure that appropriate level of protection is applied commensurate with the level of risks and asset value.
The baseline approach only allows more resources to be directed towards the assets at a greater risk (causing over protection of assets) or invariably the standard of resource may not measure up to the risk of some other audit area (under protection).
To perform an audit using the Risk-Based approach, the following steps are necessary.
1.Gathering of information and plan: This involves
- Acquiring knowledge of the industry in which the organization belongs, and the business of the organization itself.
- Familiarizing with the industry's norms and regulatory statutes
- Reviewing the recent financial situation (at least for the last three years, if it is not just commencing operations) and the cash flow position of the industry.
- Reviewing the prior year's audit result, and
- Assessing the inherent risks associated with the business and specific audit areas.
2. Obtaining understanding of the system of internal control
This involves:
- Assessing the control and detection risk
- Equating the total risk and checking if it is acceptable
- Touring or going through the control environment and the laid down control procedures
3. Testing compliance
The performance of compliance testing really goes into the internal control policies and procedures.
It involves asking questions like:
- Are policies and procedures adhered to?
- Is there adequate separation and segregation of incompatible duties?
4. Perform Substantive Test
This involves:
- Analytical procedures
- Detailed test of account balances
- Other substantive audit procedures
- Concluding the Audit
- Suggesting recommendations as to the results of the audit findings
- Writing a detailed audit report About the Author Wale Wahab runs the "Audit, Control & Security of Information Assets" Website, where he offers free e-book on how to perform electronic audit using CAAT Software. His site can be found at http://www.ultimatesystemssolutions.com/itauditebook.com/
Article Source: http://www.simplysearch4it.com/article/39864.html
If you wish to add the above article to your website or newsletters then please include the "Article Source: http://www.simplysearch4it.com/article/39864.html" as shown above and make it hyperlinked. |
| |
|
|
|