When addressing IT audit planner responsibilities, the in-charge IT auditor must inscribe and communicate an engagement's objectives, ambit, and examinable units based on an obtained audit area understanding. Through synthesizing relevant audit standards and guidelines as well as professional experience, Chapter 2 presents crucial outputs for completing the IT audit planning process. Chapter 2 discusses issues related to planned compliance and substantive testing and then provides primary documentation requirements of an operational IT audit plan. Chapter 2 also presents IT audit planner tasks when conferencing with the engagement auditee(s) and associated communication distribution.
TopIntroduction
An information systems-based audit reflects tactical-level IT audit planning. Thus, operational IT audit area planning is a derivative exemplification of tactical-level IT audit planning (Davis, 2005, 2011b). Like tactical-level IT audit planning, IT operational-level planning may employ various audit selection methodologies (Davis, 2005, 2011b). Methodologies available for determining IT auditable units include Methodical, Directed, Intuitive, and Planned (Davis, 2005, 2011b).
Methodical planning constructs all conceivable auditable units associated with an IT audit area (Davis, 2005, 2011b). Directed planning requires collaboration with IT audit area personnel for defining IT auditable units (Davis, 2005, 2011b). Intuitive planning relies on IT audit planner proficiency or conjecture to envision auditable units (Davis, 2005, 2011a). The planned methodology requires sorting risk rating analysis from highest to lowest ranking for all excogitated audit units (Davis, 2005, 2011b). Nonetheless, whatever planning methodology employed to select the auditable units for examination, IT audit working papers must contain relevant engagement information (Cascarino, 2012; Davis, 2005, 2011b).
When using a system approach for finalizing the IT audit operational plan, the IT audit planner ascertains engagement IT audit objective(s), ambit, materiality, IT control, and IT AR. In building the IT audit operational plan, the IT audit planner defined the auditable units after obtaining a preliminary understanding of the IT audit area’s control environment, information system(s), and control procedures. Correspondingly, as part of the process of IT audit planning, information gathering occurs through reviewing enterprise objectives and organizational practices (Davis, 2011b; ISACA, 2013a) to acquire IT audit area knowledge. However, the required extent of engagement knowledge is dependent on the enterprise nature, environment, risk areas, and objectives (ISACA, 2013a).
The IT audit planner ensures the IT audit operational plan complies with statutory requirements as well as contemporary ISACA standards (ISACA, 2013b). ISACA (2013a) standard mandates, where appropriate, using a risk‐based approach when planning an information systems-based audit. Moreover, during the finalization of the IT audit operational plan, the IT audit planner must also define the IT audit period and forecast examination methods (Davis, 2005, 2011b; ISACA, 2013a).
Coinciding with finalizing the IT audit plan, the IT audit planner must address engagement‐specific issues within the IT audit plan documentation (ISACA, 2013a). Engagement‐specific issues may include projected auditor testing, deployable audit resources, audit tools identification, and the preparation or summarization of information for reporting (ISACA, 2013a). Standard IT audit plan documentation also includes conveying the assessment criteria, as well as reporting requirements and distribution (ISACA, 2013a). The finalized IT audit plan describes the IT audit objective and ambit with enough supporting material for the development or acquisition of an appropriate audit program (Davis, 2005, 2011b).
An engagement letter issuance must occur to complete the IT audit planning process (ISACA, 2013a). Engagement letters confirm discussions with audit area personnel as well as objectives and ambit agreements (Cascarino, 2012). After ascertaining the roles and responsibilities relevant to the IT audit area, the IT audit planner prepares and submits an engagement letter for the opening auditee conference (Cascarino, 2012; Davis, 2011b; ISACA, 2014a). This chapter provides primary documentation requirements of an IT audit project plan and discusses opening conference tasks.