At inception, the study of control processes demands an IT auditor identify and relate applicable auditing standards to control activities. An IT audit controls study produces sufficient audit area documentation, demonstrating a comprehensive investigation concerning IT and related manual processes associated with the defined auditable units. Most business processes have control measures assisting in accomplishing the audit area's control objectives. Chapter 3 covers the IT audit study of control activity through presenting tasks addressing internal and external control systems, general and application controls, as well as laws and regulations. Additionally, Chapter 3 discusses the documentation of audit evidence.
TopIntroduction
Audit management approved the IT audit plan (Davis, 2005, 2011b). The in-charge IT auditor informed audit area management of the IT audit function’s accountability, authority, and responsibility during the opening conference (Davis, 2005, 2011b). Now, with the IT audit plan’s audit program inscribed, the IT audit team members are ready to begin, what is commonly called, fieldwork (Davis, 2005, 2011b).
Audit standards guide engagement personnel in the performance of fieldwork (Davis, 2005, 2011b). Audit standards serve as the basis for auditing concepts regarding the study of controls considering evidential matter collection necessary to render an opinion (Davis, 2005, 2011b). Categorically, audit fieldwork generally represents two distinct processes: study and testing (Davis, 2005, 2011b). An assigned IT auditor’s survey of controls produces sufficient audit area documentation demonstrating comprehensive investigation concerning IT and related manual processes. Most business processes incorporate control measures assisting in accomplishing control objectives (Davis, 2005, 2011b).
Enterprise related controls can provide design, operation, and monitoring mechanisms for safeguarding assets, appraising accuracy, and ensuring adherence to policies, procedures, standards as well as rules (Davis, 2005, 2011b). An organization’s employees should tenaciously seek to establish integration between different internal components for sustaining an effective and efficient ICS (Mahadeen et al., 2016). From a financial integration perspective, organization, policies, procedures, personnel, accounting, budgeting, reporting, and reviewing internal controls represent ICS means to govern an enterprise (Davis, 2005, 2011b). Usually, IT is a strategic, tactical, and operational component for ICS implementation. IT can furnish or aid in establishing appropriate enterprise controls if the proper processes are installed (Davis, 2005, 2011b). Therefore, a business process internal control environment indirectly imposes management’s assurance of an adequate IT control environment (Davis, 2005, 2011b).
IT controls are typically implemented to regulate business activities and monitor resource allocations (Davis, 2005, 2011b). At the detail-level, pre-numbered source documents, suspense accounts, and cryptography are controls because they meet at least one of the eight previously mentioned ICS-Control Activities criteria (Davis, 2005, 2011b). These examples of generally accepted detail-level controls may be present in information systems (Davis, 2005, 2011b). Therefore, using element transitivity theory, information system detail-level controls can be linked to the IT-level general and application controls as well as enterprise-level control activities (Davis, 2005, 2011b).
The deployed audit area IT does not solely define the type of evidence auditors will encounter (Davis, 2005, 2011b). IT use is an equally important consideration in identifying evidence (Davis, 2005, 2011b). For instance, a relational database can replace a set of sequential tape files or deployed to store data accessed concurrently by diverse users (Davis, 2005, 2011b). Therefore, IT and its usage affect the type of evidence collected and analyzed during an IT audit (Davis, 2005, 2011b). Nevertheless, experience has demonstrated that many of the severe control weaknesses occur in user areas before and after computer processing (Davis, 2005, 2011b).