IT Audit Program & Audit Report

Audit or Assurance

Assurance

Audit

number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter

formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met

Difference

audit is independent from operational functions, which allows audit to provide objective and unbiased opinions about the effectiveness of the internal control environment

Assurance activities can be performed by different compliance functions while audit activities should be performed by audit professionals only

Audit & Assurance Programs

what?

more granular description of the work to be performed to meet the engagement objectives

objectives

Audit Methodology

Audit Process

Phases

fieldwork

reporting

planning

Formally document audit procedures and sequential steps

Create procedures that are repeatable and easy to use by internal or external auditors who need to perform
similar audits

Document the type of testing that will be used (compliance and/or substantive)

Meet general accepted audit standards that relate to the planning phase in the audit process

skills to develop good
audit programs

Good understanding of the nature of the enterprise and its industry to identify and categorize the types of risk and threat

Good understanding of the IT space and its components and sufficient knowledge of the technologies that
affect them

Understanding of the relationship between business risk and IT risk

A basic knowledge of risk assessment practices

Understanding of the different testing procedures for evaluating IS controls and identifying the best method of
evaluation

Steps to Develop an Audit and Assurance Program

Knowledge, skills and experience needed to prepare and execute fieldwork

Physical locations or business entities that will be part of the scope

Resources needed to meet the engagement’s objective

Sources of information about business processes and supporting technologies

Inputs

Set
audit scope

Perform
preaudit planning

Define
audit objective

Determine
procedures

Determine
audit subject

what?

set of documented procedures that are designed to achieve the audit objectives

should be approved by management

include a statement of scope, objectives and audit programs

phases

Audit subject

Objective

Scope

Pre-audit planning

Audit procedures and steps for data gathering

Procedures to evaluate the test

Reporting and communication

Report preparation

Audit Report

what?

issues in the standard format as prescribed by regulating standards related with auditing

issued by an auditor to enable the users of financial statements to make decision based on the results of audit

Auditor Report

written opinion of an auditor regarding an entity's financial statements

process

Audit Evidence

Misstatement

Evaluation

Opinion

Auditor’s report

modification to auditor's opinion

Unqualified opinion

auditor concludes that the financial statements are prepared in all materials respect in accordance with applicable financial reporting framework

Qualified opinion

auditor, either on the basis of evidence obtained or otherwise, concludes that misstatements are material but not pervasive to the financial statements

clean opinion and issued when there is no disagreement with management or limitation of scope in the audit

Auditor may encounter disagreement with management or limitation of scope but the effect of those is not so material and pervasive as to require an adverse opinion or disclaimer of opinion

Disclaimer of opinion

auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion and the auditor concludes that possible effects of such undetected misstatements, if any, on the financial statements could be both material and pervasive

Due to limitation of scope is so material and pervasive, auditor is not able to obtain sufficient appropriate audit evidence and accordingly is unable to express an opinion on the financial statements

Adverse opinion

when the auditor, having obtained sufficient appropriate audit evidence concludes that misstatements are both material and pervasive to the financial statements

Disagreement with management is so material and pervasive that qualification of report is not adequate to disclose the misleading or incomplete nature of the financial statements