Hi all. We all know that IT has become backbone of businesses and organizations around the world. Equally important (thanks to SOX) it has become for the external auditors to verify the adequacy of Internal Controls Over Financial Reporting (ICOFR). SOX recommends using of accepted controls frameworks and its outcome has been that COSO and COBIT has become widely accepted control frameworks in internal controls and IT controls.
We know that audit firms conduct IT Audits for their clients to fulfill their assurance and compliance needs. These IT Audits cover IT Infrastructure from medium complexity to high complexity.
Now here are the burning questions---
1-How do these audit firms assess the complexity of IT Environment
2-How they actually conduct the IT Audit, "from Pre-Audit Planning to Audit Report"
3-When they go to a client for the actual IT Audit, what "document" they have in hand, based on which they formulate their IT Audit Checklist?
In short---How do they conduct IT Audit from the start to the end and what documents/checklists etc they possess to successfully carry out their IT Audit engagement?
Anyone who can answer and help?
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica, san" id="quote">quote<hr height="1" noshade id="quote"><i>Originally posted by jamali_5711</i>
<br />Hi all. We all know that IT has become backbone of businesses and organizations around the world. Equally important (thanks to SOX) it has become for the external auditors to verify the adequacy of Internal Controls Over Financial Reporting (ICOFR). SOX recommends using of accepted controls frameworks and its outcome has been that COSO and COBIT has become widely accepted control frameworks in internal controls and IT controls.
We know that audit firms conduct IT Audits for their clients to fulfill their assurance and compliance needs. These IT Audits cover IT Infrastructure from medium complexity to high complexity.
Now here are the burning questions---
1-How do these audit firms assess the complexity of IT Environment
2-How they actually conduct the IT Audit, "from Pre-Audit Planning to Audit Report"
3-When they go to a client for the actual IT Audit, what "document" they have in hand, based on which they formulate their IT Audit Checklist?
In short---How do they conduct IT Audit from the start to the end and what documents/checklists etc they possess to successfully carry out their IT Audit engagement?
Anyone who can answer and help?
<hr height="1" noshade id="quote"></font id="quote"></blockquote id="quote">
Well Mr Jamali This is not a small topic,it will take pages to answer your questions.... if u are intrested than i start giving you the answer...
Dear Jamil
I have been involved in IS/IT audit with KPMG, you are very right. IT audits have vital role with financial audit. The scope of overall IT audit to give assurance on Information system which the organization is using on particular/ different financial/non financial applications. However according to your questions, firms do a lot of test/ compliance and system walk through tests
Now lets come to your Questions
1)IT auditor assess it through analyzing their IT policies, their financial application reviews and after implementing their IT audit procedure to evaluate weather IT is supporting Information System which is ultimately producing financial information
2) IT audit conducted at pre audit planning phase to give assurance on IT complexities, behavior and its implication. However IT audit could be conducted anytime, if Financial auditor need some assistance on IT prospective which is called special queries raised by Auditor. It could be conducted on that time to give assurance.
So, IT auditor and Financial both works with same objectivity but with a different scope.
3)Well, in IT audit every firms have many design different controls, assertions, implementation and overall effectiveness assurance through different audit manuals, In KPMG it is global designed which is implemented in 140 countries.
I hope it would give you a basic idea of IT audit work, as far as how auditors work on it, it has different phases, documents, requirements, scopes, checklists, evaluation techniques, system analysis, audit evidences and plenty of other formal documentations.
Regards