FACULTY OF COMPUTING AND INFORMATICS

Information System Audit ISA822S

Chapter 3 – PERFORMING A RISK BASED IS AUDIT
OBJECTIVES
In this lesson, we’ll discuss the basic stages of the audit process, how to conduct each one
effectively, and the following:
• The different types of internal controls
• Types of Audit
• Sampling Methods
• Audit sampling methods
• CAAT
• Planning
INTERNAL CONTROLS
• The concept of internal controls is fundamental to the auditing profession.
• The real mission of the internal audit department is to help improve the state
of internal controls at the company.
• But what are internal controls?
• Internal controls, stated in the simplest terms, are mechanisms that ensure
proper functioning of processes within the company.
• Every system and process within a company exists for some specific
business purpose.
• The auditor must look for the existence of risks to those purposes and then
ensure that internal controls are in place to mitigate those risks.
TYPES OF INTERNAL CONTROLS
NB As already mentioned,Controls can be preventive, detective, or corrective, and they
can have administrative, technical, and physical implementations.
• Examples of administrative implementations include items such as policies and processes.
• Technical implementations are the tools and software that logically enforce controls (such
as passwords).
• Physical implementations include controls such as security personnel and locked doors
INTERNAL CONTROL EXAMPLES
ACCESS CONTROLS
• If access to the system is provided to people who do not have a need for that access,
system data might be changed, added, or deleted inappropriately.
• What are some internal controls that would mitigate this risk?
• Require a user ID and password to access the system.
• Have a limited number of application security administrators who control the ability to
add new user accounts to the system.
• Ensure that the application security administrators are knowledgeable
BACKUPS AND DISASTER-
RECOVERY PLANS
• If the system or its data were lost, system functionality would be unavailable, resulting in
a loss of your ability to track outstanding receivables or post new payments.
• What are some internal controls that would mitigate this risk?
• Back up the system and its data periodically.
• Ship backup tapes offsite.
• Document a disaster recovery plan.
IT CONTROLS
• The controls within an information system comprise all of the manual and programmed
methods, policies and procedures that ensure the protection of the entities assets, the
accuracy and reliability of its records and the operational adherence to management
standards.
• IT controls form part of the overall internal control structure of an entity and are classified
in the following three categories:

https://simplicable.com/IT/it-control-examples
GENERAL
• These controls create the environment for the operation of the IT infrastructure and are
not specific to particular applications.
• Control categories include IT policies, procedures and standards, operational controls,
physical, programmed (logical) access, acquisition and business continuity and disaster
recovery controls.

• https://www.schneiderdowns.com/cybersecurity/it-general-controls-audit
APPLICATION
• Application controls refer to specific computer applications.
• This includes controls over the input of transactions, processing, output, and
standing data.
• Specific
• These controls include Network and Internet, End user computing and IT
Security.

• Within this framework individual computer controls may be categorised as

either:
 Programmed i.e. built into information systems themselves; or,
 Manual i.e. procedures operated to compensate for a lack of built in controls.

https://www.diligent.com/resources/blog/application-controls
CONSEQUENCES OF IT CONTROL
FAILURE
These are significant and include:
• Computer applications inappropriate to business objectives
• Unauthorised modification of data
• Loss of data integrity
• Unauthorised access to and/or disclosure of data
• Lack of continuity of service
• Wasted development resources.
INTERNAL AUDIT
• “The role of internal audit is to provide independent assurance that an organisation's
risk management, governance and internal control processes are operating effectively”.
• The first line comprises the business process owners primarily responsible for
performing a specific business process.
• The second line consists of a risk department that exists to monitor whether the first
line is adhering to the defined processes and provide guidance to the first line on
improving processes.
• The first and second lines report directly to the business (i.e. IT department reports to
the chief financial officer).
EXTERNAL AUDIT
• Like the name infers, an external audit is conducted by a third party, usually an audit
firm.
• An audit firm typically audits financial statements contracted to express an opinion on
the reasonableness and fair presentation of the financial statements.
• A company is required by law to produce financial statements for each financial year.
The financial statements need to be audited to ensure that the numbers presented are
accurate and free from any material or significant misstatements or errors
TYPES OF EXTERNAL AUDIT
• Compliance audit
Compliance means conforming to a set of rules or frameworks. Depending on the
nature of the organisation, there are specific rules or laws that the organisation
needs to comply with. For example, banks need to comply with requirements
defined by the central bank, and mines need to comply with environmental laws,
hospitals and doctors need to comply with rules defined by the health council
• Forensic audit
Investopedia (2021) defines forensic audit as “A forensic audit examines and
evaluates a firm's or individual's financial records to derive evidence used in a
court of law or legal proceeding.” A forensic audit is usually conducted as part of
an investigation instituted by the board or management to determine whether there
was any form of misconduct or fraud.
An operational audit refers to the process of evaluating a company's operating activities – both on
a day-to-day level and a broader scale.
AUDIT DOCUMENTATION
The International Standard on Auditing (ISA) 230 published by the International Auditing and
Assurance Standards Board (2009) states that audit documentation serves the following purposes:
(a) Evidence of the auditor’s basis for a conclusion about the achievement of the overall objectives
of the auditor;
(b) Evidence that the audit was planned and performed in accordance with ISAs and applicable
legal and regulatory requirements.
( c) Enabling the engagement team to be accountable for its work;
(d) Retaining a record of matters of continuing significance to future audits;
(e) Enabling the conduct of quality control reviews and inspections;
(f) Enabling the conduct of external inspections in accordance with applicable legal, regulatory or
other requirements.
AUDIT PROGRAM
• The audit program contains the procedures that the auditor plans to perform and
execute. The audit program helps the auditor reach the audit objective. For example, in
the example working paper that we looked at above, the IT auditor tests controls on the
stock management system.
REPORTING DOCUMENTATATION
The reporting stage of the audit involves reporting exceptions and deficiencies identified
during the audit. Deficiencies are determined based on the evidence provided to the
auditors. We will cover deficiencies in detail later on.
WHAT IS IN THE WORKING
PAPER
• The date the working paper is prepared;
• the period under review;
• the audit reference;
• the risk description, control id and control description of the control under review (if applicable)
• the date the walkthroughs are conducted with the control owner;
• design of the control;
• the implementation or operating effectiveness tests performed;
• cross-references to evidence referenced in the working paper;
• documentation around how the evidence was obtained;
• sign off by the IT auditor who prepared the working paper;
• sign off by the IT auditors manager who reviewed the working paper;
SAMPLING
• As an IT auditor, you will be required to select samples to test the operating
effectiveness of specific control over a certain period.

• The audit function should define a sampling methodology to outline the basis for which
samples are selected.
• Auditors can choose samples based on the frequency of the control and the total
population of control occurrences.
WHAT IS AUDIT SAMPLING?
Why do auditors use audit sampling to determine material misstatements in
financial statements? Why not just test every single item and every transaction?
Many people often think that auditing every single transaction is ideal, but that is
actually not the case.
Sampling can be defined as the process of examining only part of a set of
data/population, sufficient to gain reasonable assurance regarding the entire
data/population.
Non-sampling risk is the risk that despite having selected an appropriate
sample, the auditors will arrive at wrong conclusion.
If the auditor has chosen right sample and still makes the faulty conclusion
due to other reasons, it is known to be a Non sampling risk
 DIFFERENCE BETWEEN STATISTICAL AND
NONSTATISTICAL:
The two general approaches to audit sampling are statistical and nonstatistical:
• Statistical sampling—An objective method of determining the sample size and selection
criteria – Statistical sampling uses the mathematical laws of probability to:
(1) calculate the sampling size,
(2) select the sample items, and
(3) evaluate the sample results and make the inference

• Nonstatistical sampling (often referred to as judgmental sampling)—Uses auditor

judgment to determine the method of sampling, the number of items that will be examined
from a population (sample size) and which items to select (sample selection)
GUIDELINE ON SAMPLING
Control frequency Population Samples

Annually 1 1

Quarterly 1-4 2

Monthly 5-12 5

Weekly 13-52 10

Daily 52-365 20

More than once daily >365 40

EVIDENCE COLLECTION
TECHNIQUES
• Inquiry and confirmation—The process of seeking information from experienced people familiar with the
subject matter. The experienced people need not be members of the enterprise being audited. This
procedure can range from formal written inquiries to informal oral inquiries.
• Observation—Observing a procedure or process being performed by those individuals who are typically
responsible for its performance or observing physical items such as facilities, computer hardware, or
information system settings or configurations. This type of evidence is limited to the point in time when the
observation took place. Practitioners should take into account that observing the performance of a process
or procedure may affect the way the procedure or process is performed.
• Inspection—Examination of internal or external documents and records. The items to be inspected can be
supplied in paper or electronic form. Inspection can also include physical asset examination.
• Analytical procedures—Evaluating data by examining possible relationships within the data or between the
data and other relevant information. This also includes examining fluctuations, trends and inconsistent
relationships.
• Recalculation/computation—The process of checking the arithmetical and mathematical accuracy of
documents or records either manually or through the use of CAATs.
• Re-performance—Independent performance of procedures and/or controls that were originally executed by
the information system or by the enterprise itself.
COMPUTER ASSISTED AUDIT
TECHNIQUES (CAAT)
• The Chartered Institute of Internal Auditors (2020) defines computer-assisted
audit techniques (CAAT) as the use of technology to help you evaluate controls
by extracting and examining relevant data.
• The use CAATs can assist auditors with analysing large sets of data efficiently.
• CAAT falls in the category of data analytics when analysing large and complex
data sets. Writing formulas in your excel sheet is a form CAAT as the formula
helps you quickly perform a vlookup as an example when analysing data.
• A technical IT auditor could write a structured query language (SQL) query to
analyse data within a database.
REPORTING
• Reporting is the final stage within an audits lifecycle. When the auditors have
completed their audit procedures, the audit outcomes should be reported back to
management.
• The final output of an IT audit is usually a report called a management letter.
• The management letter contains a brief overview of the procedures performed by the
auditors, the coverage period and an appendix containing the findings or deficiencies
identified by the auditors
PARTS OF FINDINGS
• As the name implies, a deviation is a deviation from the design of a control, but the
mapped risk is addressed.
• For example, the organisation has a control that states that when a new user needs
access to a certain application, a request should be submitted via a ticketing system and
approved by the user’s line manager.
• When testing the control, the auditor finds that requests are submitted via email instead
of the ticketing system, but the user’s line manager still approves the request.
DEFICIENCY

A deficiency is an exception identified in the performance

of a control that prevents the control from addressing the
mapped risk.
MITIGATION VS REMEDIATION
• Findings identified during the audit should be mitigated and remediated.
• Mitigation is the process of looking backwards to determine whether the risk was
exposed, and remediation is looking forward and putting a measure in place to prevent
the finding from recurring in future