Audits are performed to ascertainthe validity and reliability of information; also toprovide an assessment of a systems internalcontrol. The goal of an audit is to express anopinion of the person / organization / system (etc.)in question, under evaluation based on work doneon a test basis.
The general definition of an audit isan evaluation of a person, organization,system, process, enterprise, project orproduct. The term most commonlyrefers to audits in accounting, butsimilar concepts also exist in projectmanagement, quality management,water management, and energyconservation.
•The role of auditor goes back many hundreds ofyears. These are records from ancient Egypt andRome, showing that people were employed toreview work done by taxes collector and estatemanagers.•The emphasis was very much on the detection offraud and other irregularities.•Emphasis has changed and the role of the auditorbecomes much more sophisticated.
Audits can be categorized in to two types: Financial audit Non financial audit
Financial audit: Address questions of accounting, recording, and reporting of financial transactions. Reviewing the adequacy of internal controls also falls within the scope of financial audits. Non financial audit: It is non statutory one and serves two purposes It checks company’s compliance to standards It determines whether a product or service satisfy the customer’s demands in terms of quality and features.
A legally required review of the accuracy of a companys orgovernments financial records. The purpose of a statutory audit todetermine whether an organization is providing a fair and accuraterepresentation of its financial position by examining informationsuch as bank balances, bookkeeping records and financialtransactionsFor Example,a state law may require all municipalities to submit to an annualstatutory audit examining all accounts and financial transactionsand to make the results of the audit available to the public. Thepurpose of such an audit is to hold the government accountablefor how it is spending taxpayers money.
When the audit is not a statutory requirement , but is conducted at the desire of owners , such an audit is private audit . The audit is conducted primarily for their own interest. At times the private audit may become a requirement under tax laws , if the turnover exceeds a specified limit.Private Audit is following types 1 audit of sole proprietorship 2 audit of partnership firms 3 audit of individuals accounts 4 audit institutions not covered by statutory audit
The examination, monitoring and analysis of activities related to a companys operation, including its business structure, employee behavior and information systems.Internal audit found to play the following roles- Check weather existing controls are effective and adequate. Weather financial and other reports show the actual results of the company Weather subunits are following the policies and procedures laid down by the company.
Analysis and assessment of competencies andcapabilities of a companys management inorder to evaluate their effectiveness, especiallywith regard to the strategic objectives andpolicies of the business. The objective of amanagement audit is not to appraise individualexecutive performance, but to evaluate themanagement team in relation to theircompetition.
Address the internal control environment ofautomated information processing systems andhow these systems are used. IS audits typicallyevaluate system input, output and processingcontrols, backup and recovery plans, and systemsecurity, as well as computer facility reviews.IA’s scope of work is comprehensive and considersall aspects of the organization - both financial andnon-financial - with an emphasis on constructiveimprovement.
Staffing the audit team Creating an audit project plan Laying the groundwork for audit Analyzing audit results Sharing audit results Writing audit results Dealing with resistance to audit recommendations Building an ongoing audit programs.
Companies DirectorsAssurance that statutory responsibilitiesconcerning accounts have been carried out.Availability of expert advise.The letter of weakness. To ShareholdersAssurance that accounts show a true and fairview and comply with statutory requirementsOther Organization with publish accountsAssurance that accounts are reliable In addition they provide reliable accountsto regulatory bodies such as the companiesRegistry, the stock exchange etc.
Primary Objective:To produce a report by the auditor of hisopinion of the truth and fairness of financialstatements so that any person reading andusing them can belief in them.Secondary Objective:•To detect Error and Fraud• To prevent Errors and fraud by the deterrentand moral effects of Audit
An audit can neither help in prioritizing changes nor in allocating resources. Audit cannot mobilize people to take actions. though audit identifies various problems that exist in the organizational system and processes Audit can not generate better data than the measures used to gather those.
Audit evidence is evidence obtained during a financial audit and recorded in the audit working papers. In the audit engagement acceptance or reappointment stage, audit evidence is the information that the auditor is to consider for the appointment. For examples, change in the entity control environment, inherent risk and nature of the entity business, and scope of audit work. In the audit planning stage, audit evidence is the information that the auditor is to consider for the most effective and efficient audit approach. For examples, reliability of internal control procedures, and analytical review systems.
In the control testing stage, audit evidence is the information that the auditor is to consider for the mix of audit test of control and audit substantive tests. In the substantive testing stage, audit evidence is the information that the auditor is to make sure the appropriation of financial statement assertions. For examples, existence,rights and obligations, occurrence, com pleteness, valuation, measurement, presentation and disclosure of a particular transaction or account balance. In the conclusion and opinion formulation stage, audit evidence is information that the auditor is to consider whether the financial statements as a whole presents with completeness, validity, accuracy and consistency with the auditors understanding of the entity.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organizations goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called "electronic data processing (EDP) audits".
The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business. Currently, there are many IT dependent companies that rely on the Information Technology in order to operate their business e.g. Telecommunication or Banking company.
An IT audit is different from a financial statement audit. While a financial audits purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the systems internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. . One of the most important role of the IT Audit is to audit over the critical system in order to support the Financial audit or to support the specific regulations announced e.g. SOX
Integrated information technology audit compliance, Quality assurance, Business continuity, Disaster recovery, IT governance,Fraud, risk, and forensics resources for information technology auditors, internal auditors, application auditors, compliance, information security and forensics professionals.
The IT audit aims to evaluate the following: Will the organizations computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the companys valuable asset (its information) and establish methods of minimizing those risks.
The audit process is generally a ten-step procedure: 1. Notification & Request for Preliminary Information 2. Planning 3. Opening Meeting 4. Fieldwork 5. Communication 6. Draft Report 7. Management Responses 8. Closing Meeting 9. Report Distribution 10. Follow-up
Technological innovation process audit Innovative comparison audit Technological position audit five categories of audits:1. Systems and Applications2. Systems Development:3. Management of IT and Enterprise Architecture:4. Client/Server, Telecommunications, Intranets, and Extranets5. Information Processing Facilities:
This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the companys experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of companys research and development facilities, as well as its track record in actually producing new products.Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".
Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, andsecure input, processing, and output at all levels of a systems activity.Information Processing Facilities: An audit to verify that theprocessing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. .
Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
The deep dive audit involves detailed study of the IT infrastructure deployed - hardware, software, connectivity, power, security, MIS, and usability by end users. Other areas of study include identifying process coverage, data integrity, productivity improvements, reporting frequency and adequacy, training adequacy, and system availability.The focal points of the IT audit are: Business functionality Ease of Use SecurityThe capstone of Technology Audit is the Audit Findings Report which includes gap analysis, recommendations pertaining to technology upgrade / downgrade, training requirements and plan of action. Technology Audit recommendation sets the direction for organizations to optimize Return of Investment on IT.
Advising the Audit Committee and senior management on IT internal control issues Performing IT Risk Assessments Performing: Institutional Risk Area Audits General Controls Audits Application Controls Audits Technical IT Controls Audits Internal Controls advisors during systems development and analysis activities.February 14, 2007 35
IT Audit plays a major role in development of IT Governance framework Moving away from policing role into a specialist role in the areas of risks and control Adding value at strategic and operational levels through the provision of business risk-focused advice and assurance Legislation is having a profound impact on IT Auditing (SOx, GLBA, HIPAA, FERPA, Privacy Notification Regulations …) The continuously changing technology environment brings new risks (i.e. Cyber security, wireless …)February 14, 2007 37
Inadequate or Lack of Management Oversight Poor Segregation of Duties Inadequate or Lack of Supporting Documentation No Business Continuity/Disaster Recovery Plan Change Management Data Security Data Loss Incidents There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant. An example of such an audit is the newly minted SSAE 16February 14, 2007 38