Continuously auditing any system or process is as vital as the building and maintenance stages of the initial build, all of which combine to create an effective product. There are eight phases of an audit engagement as described in Angel R. Otero’s publication, “Information Technology Environment and I.T. Audit”; these include the risk assessment, audit plan, preliminary review, design audit procedures, test controls, substantive testing, document results, and finally, communication (Otero, 2019).
In this phase, the audit universe is created by inventorying all possible audit areas and domains within an organization. A better way to describe the risk assessment process is to develop the project’s scope. Various questions should be answered, including what the organization is, what it does, what department is in question, what systems the department use, what systems the audit is supposed to focus on, what rules, regulations, policies, and laws are associated, what the time frame is for completion, and what personnel are involved. By knowing the above information, a risk assessment can be both crafted and performed on the associated assets with the goal of identifying possible weak areas that should be focused on in the audit. There are several methods one can use to assess risk, including COBIT (Control Objectives for Information and Related Technology) and RMF (Risk Management Framework).
The next logical step in the audit process is creating an audit plan. As an audit can vary significantly in size and sophistication, planning for all possible scenarios, the scope, budgeting concerns, available personnel, and any rules, regulations, policies, and laws that are associated are all essential to an audit’s success. Audit plans include various time-ranges, including monthly, yearly, and long-range continuous, scheduled audits. In the audit plan phase, middle and senior management will meet to gather the necessary information from available sources and design a practical approach to conducting the next phases of the audit.
Next, much of the information required for performing the audit should be collected. Before diving into the actual audit, it is recommended to perform a preliminary or high-level review; this will allow a broad overview of the project to be seen, providing the auditors the ability to examine such things as the project’s scope, any areas that need improvement of the audit plan, as well as further understand budgeting concerns, available personnel, and any rules, regulations, policies, and laws that are associated.
Design Audit Procedures
The design audit procedures stage involves combining all previously-collected data and creating the actual audit program. In the designing phase, controls and tests will be designed for each functional area of the audit, allowing the auditors to get an unfiltered and concise view of how the systems and processes are performing and what needs to be improved. Audits can be quite complicated depending on the situation, for example, if sensitive or confidential information is involved or if the sophistication of the systems in the audit are outside the skill level of the auditors; due to this, the audit design stage needs to be well-researched and communicated with all members of the audit.
With the audit plan and procedures done, the audit controls need to be tested; this involves examining documentation, conducting interviews, performing inspections, and making personal observations (Otero, 2019). For example, if an audit of an IT system is in the works, one may interview the programmers and administers of the system; by cross-referencing their interviews, one can effectively get a baseline of the answers, allowing the auditors to better understand if their auditing plan will be right for the job (McCafferty, 2016).
Substantive testing should be performed next, validating the collected data of the audit; in this, secondary checks are performed on the audit’s targets, enabling auditors to gain confidence in their findings. For example, if an audit of a financial processing software had its last month’s transactions audited by an individual, a secondary check can be made using a separate software-based program to verify the data’s correctness.
In any good project, documentation is vital to all phases. With all of the above steps completed, auditors must document every step in the journey, showing and proving how they got their data, what their data shows, and how to improve future audits. Similar to a forensic data investigation, the resulting data found is just as important as the process used to extract the data, meaning that the method needs to be documented to be able to prove how it was obtained.
Finally, we have the communication phase of the audit process. Even the most effective audit is nothing without the ability to accurately and simply convey the information to the project’s stakeholders. With the aid of the documentation phase, a report should, at this point, already be created, allowing the audit’s management to deliver the results of the audit (Otero, 2019).
Otero, A. R. (2019). Information Technology Environment and I.T. Audit. In Legislation Relevant to Information Technology (Fifth ed., pp. 31-58). Boca Raton, Florida: CRS Press.
McCafferty, J. (2016, April 6). Training Seminars LeaderQuest Training LeaderQuest Course Listing ACL Training Executive Programs Training Weeks Virtual Seminars Certificate Programs Course Evaluation. Retrieved December 14, 2020, from https://misti.com/internal-audit-insights/five-steps-to-planning-an-effective-it-audit-program.