Abstract
No matter whether the engagement team members use one, a combination, or all control study techniques, upon completion, the assigned IT auditors should have a sufficient understanding to perform competent audit area controls evaluation. That is, controls study completion empowers an IT audit team with the ability to determine if adequate controls deployment exists for key IT audit area processes, activities, and tasks. Chapter 4 conveys the evaluation of audit evidence, audit working papers development, determining if control objectives are met, reassessing IT audit risk, and assessing planned IT audit testing.
TopIntroduction
For the IT audit team members, identifying and evaluating audit area control techniques entails determining whether controls are in place to ensure meeting control objectives, and appropriately address specific risks (Davis, 2005, 2011b). When inscribed, a control objective represents a projected actualization statement of the desired result, or purpose, for implementing control tasks within an activity (Davis, 2005, 2011b). Furthermore, each identified control objective should take into consideration the nature of the enterprise, the mission of the program or function, and related processes, as well as external requirements (Davis, 2011b). Therefore, IT audit team members must determine whether all identified IT audit area controls are associated with at least one control objective linked to information or technology criteria (Davis, 2011b). Additionally, the IT audit team members must attempt to identify and evaluate Critical Success Factors, Key Performance Indicators, Key Risk Indicators, and Benchmarks for all IT audit area control objectives (Davis, 2011b).
Critical Success Factors, Key Performance Indicators, Key Risk Indicators, and Benchmarks enable managerial assessment of high-level control objectives. Critical Success Factors encompass identifying and addressing vital subjects necessary for accomplishing process control (Davis, 2005, 2011b). Key Performance Indicators are the success measures informing management concerning business specifications fulfillment (Davis, 2005, 2011b). Key Risk Indicators are probability measures informing management concerning the possibility of successfully achieving objectives (Davis, 2005, 2011b). Benchmarks elucidate development zones. The applied benchmarks allow management to determine the organization’s prevailing sophistication zone, ascertain sophistication zone aspirations (considering risks and objectives) and render a basis for comparison of IT control practices against peers or industry conventions (Davis, 2005, 2011b).
An engagement’s IT audit program conveys procedural instructions for achieving the IT audit objective by the IT audit team members (Davis, 2005, 2011b). There is an expectation that IT audit team members will follow the provided procedures. However, circumstantially, upon studying the area under audit, the IT audit team members may need to inscribe additional IT audit program procedures (Davis, 2011b; ISACA, 2014a). IT audit team members consider design materiality when preparing additional IT audit procedures. The IT audit planner commonly assigns a quantitative design tolerable rate that is one-third of planning materiality (Davis, 2005, 2011b). Any approved additional IT audit procedures need to exceed the predetermined quantitative design materiality threshold (Davis, 2005; 2011b).
Designed IT audit procedures can be quantitatively immaterial (Davis, 2005, 2011b). However, designed IT audit procedures can be qualitatively material (Davis, 2005, 2011b). Audit management subjectively interprets qualitative materiality (Davis, 2005, 2011b). Therefore, assigned IT audit team members inscribe material qualities linked to any additional designed procedure if the additional designed procedure is quantitatively immaterial (Davis, 2005, 2011b).
Key Terms in this Chapter
Control Environment: A set of elements assisting in controlling an enterprise.
Gantt Chart: Conveys the pictorial approach using rectangular shapes to represent the expected and actual performance of tasks.
Internal Control Review: Determines if controls are in place and resultant in providing reasonable assurance of legal compliance, reliable information reporting, as well as efficient and effective operations.
Control Measures: Are the detailed set of guidelines and procedures that management establishes over systems, processes, activities, or tasks.
Project Evaluation and Review Technique: Represents a network-based approach to scheduling large complex projects, with many interrelated activities.
Control Objective: Defines the control purpose as a statement of an attainable, time-targeted, and measurable target that the enterprise seeks to meet.
Audit Evidence: Is the obtained proof of a system, activity, or task that substantiates the results achieved in reaching conclusions during the engagement by an IT auditor.