CONTENTS 1. Introduction on IS Audit 1.1. 1.2.

Introduction Audit Objectives

2. Audit in Computerized Environment 2.1. 2.2. 2.". 2.#. 2.$. 2.&. 2.(. 2.). 2.+. 2.1.. 2.11. Understanding o Computerized Environment Accounting In ormation S!stems in Computerized Environment Impact o IT on Economics o Auditing Concept o Securit! IS %anagement Avai'abi'it! o In ormation S!stems Access Contro' *atabase %anagement App'ication Contro's and t,eir -unctioning Eva'uation o /usiness 0is1s Conversion Audit

". Audit Organization and %anagement ".1. Organization Strateg! 2iring T,e 0ig,t 3eop'e Improving Audit 3rocesses -ocusing on Co''aboration ".1.1. ".1.2.

3.1.3.
".2.

IS Audit as 0evie4 o %anagement

#. 0is1 /ased Audit -rame4or1 #.1. Introduction to t,e 0is1 based Audit -rame4or1 50/A-6 7,at is an 0/A7,! do 4e need 0/A-8 *eve'opment and Imp'ementation o t,e 0/A3'anning and 3reparing an 0/AIntroduction #.1.1. #.1.2. #.1.". #.1.#. #.2. #.2.1.

Components o an 0/A-

#.2.2. #.2.". #.2.#. #.2.$. #.2.&. #.2.(. #.".

0o'es 0esponsibi'ities and 0e'ations,ips 3rogram 3ro i'e 0is1 Assessment and %anagement Summar! 3rogram %onitoring and 0ecipient Auditing Interna' Auditing 0eporting Strategies

0/A-9 0%A- Integration

$. Audit Standards $.1. $.2. $.". Code o 3ro essiona' Et,ics IS Auditing Standards IS Auditing :uide'ines

&. Use o Computer Assisted Audit Tec,ni;ues 5CAAT6 &.1. &.2. &.". &.#. &.$. /ac1ground 3'anning 3er ormance o Audit 7or1 CAATs *ocumentation 0eporting

1. Introduction on IS Audit 1.1 Introduction The Working Group on Information Systems Security for the Banking and Financial Sector constituted by Reser e Bank of India enumerated that each Bank in the country should conduct Information Systems !udit "olicy of the Bank# !ccordingly Information Systems !udit and Security cell prepare Information Systems !udit "olicy# The fundamental principle is that risk and controls are continuously e aluated by the o$ners% $here necessary% $ith the assistant of IS !udit function# The business operations in the Banking and Financial sector ha e been increasingly dependent on the computeri&ed information systems o er the years# It has no$ become impossible to separate information Technology from the business of the banks# There is a need for focused attention of the issues of the corporate go ernance of the information systems in computeri&ed en ironment and the security controls to safeguard information and information systems# The de elopments in Information Technology ha e a tremendous impact on auditing# Well'planned and structured audit is essential for risk management and monitoring and control Information systems in any organi&ation# 1.2 Audit Objectives !uditing is a systematic and independent e(amination of information systems en ironment to ascertain $hether the ob)ecti es% set out to be achie ed% ha e been met or not# !uditing is also described as a continuous search for compliance# The ob)ecti e of the IS audit are to identify risks that an organi&ation is e(posed to in the computeri&ed en ironment# IS audit e aluates the ade*uacy of the security controls and informs the management $ith suitable conclusions and recommendations# IS audit is an independent subset of the normal audit e(ercise# Information systems audit is an ongoing process of e aluating controls+ suggest security measures for the purpose of safeguarding assets,resources% maintaining data integrity% impro e system effecti eness and system efficiency for the purpose of attaining organi&ation goals# Well'planned and structured audit is essential for risk management and monitoring and control of information systems in any organi&ation#

1.2.1 Sa eguarding IS assets The Information systems assets of the organi&ation must be protected by a system of internal controls# It includes protection of hard$are% soft$are% facilities% people% data% technology% system documentation and supplies# This is because hard$are can be damaged maliciously% soft$are and data files may be stolen% deleted or altered and supplies of negotiable forms can be used for unauthori&ed purposes# The IS auditor $ill be re*uire to re ie$ the physical security o er the facilities% the security o er the systems soft$are and the ade*uacy of the internal controls# The IT facilities must be protected against all ha&ards# The ha&ards can be accidental ha&ards or intentional ha&ards# 1.2.2 %aintenance o *ata Integrit! -ata integrity includes the safeguarding of the information against unauthori&ed addition% deletion% modification or alteration# The desired features of the data are described here under. a# !ccuracy. -ata should be accurate# Inaccurate data may lead to $rong decisions and thereby hindering the business de elopment process# b# /onfidentiality. Information should not lose its confidentiality# It should be protected from being read or copied by anyone $ho is not authori&ed to do so# c# /ompleteness. -ata should be complete d# Reliability. -ata should be reliable because all business decision are taken on the basis of the current database# e# 0fficiency. The ratio of the output to the input is kno$n as efficiency# If output is more $ith the same or less actual input% system efficiency is achie ed% or else system is inefficient# If computeri&ation results in the degradation of efficiency% the effort for making the process automated stands defeated# IS auditors are responsible to e(amine ho$ efficient the application in relation to the users and $orkload#

2. Audit in Computerized Environment 2.1. Understanding Computerized Environment In this section $e e(plain ho$ a computeri&ed en ironment changes the $ay business is initiated% managed and controlled# Information technology helps in the mitigation and better control of business risks% and at the same time brings along technology risks# /omputeri&ed information systems ha e special characteristics% $hich re*uire different types of controls# Technology risks are controlled by General IS controls and business risks are controlled using !pplication controls# 0 en though the controls are different% the ob)ecti es of the audit function do not change $hether information is maintained in the computeri&ed en ironment or a manual en ironment+ the tools and techni*ues are different# The changes in control and audit tools as $ell as techni*ues ha e resulted in ne$ methods of audit# The internal controls are mapped onto the technology# These controls and their mapping need to be understood as also methods to e aluate and test these controls# The auditor must learn ne$ skills to $ork effecti ely in a computeri&ed en ironment# These ne$ skills are categori&ed in three broad areas.

First% understanding of computer concepts and system design+ Second% understanding the functioning of !ccounting Information System 1!IS2% an ability to identify ne$ risks and understand ho$ the internal controls are mapped on to the computers to manage technology and business risks#

Third% kno$ledge of use of computers in audit#

!c*uisition of these skills has also opened up ne$ areas of practice for auditors like Information System !udit% Security /onsultancy% Web !ssurance% etc# 2.2. Accounting In ormation S!stems in Computerized Environment In this section $e bring out the fact that !ccounting Information System in the manual and computeri&ed en ironment is not the same#

In the computeri&ed en ironment accounting records are kept in computer files% $hich are of three types% namely master file% parameter file and transaction file# This classification is not based on the types of records but on the basis of need and fre*uency of updation and le el of security re*uired# File and record security is implemented using the facilities pro ided by the operating system% database and application soft$are# With the increasing use of information systems% transaction'processing systems play a ital role in supporting business operations# !nd many a times% a T"S is actually !IS# 0 ery transaction processing system has three components3input% processing and output# Since Information Technology follo$s the GIG4 principle% it is necessary that input to the system be accurate% complete and authori&ed# This is achie ed by automating the input# ! large number of de ices are no$ a ailable to automate the input process for a T"S# There are t$o types of T"S3Batch processing and 4n'line processing# The documents% control and security implementation is different for each system# /4BIT 1/ontrol 4b)ecti es for Information Technology2 is an internal control frame$ork established by IS!/! for an information system# /4BIT can be applied to the !ccounting Information System# To apply the /4BIT frame$ork an organi&ation should

-efine the information system architecture Frame security policies /onduct technology risk assessment Take steps to manage technology risks like
o

-esigning appropriate audit trails+ pro iding systems% soft$are security+ 5a ing a business continuity plan+ 6anaging IS resources like data% applications and facilities+ "eriodically assessing the ade*uacy of internal controls and obtaining independent assurance for the information system#

Thus% $e e(plain the functioning of typical sales% purchase and pay roll accounting system in a computeri&ed en ironment# In particular% $e focus on the inputs re*uired% application control% processing% reports generated% e(ception reports% files used and standing data used#

To enable an auditor to understand the accounting information system so that he can collect audit e idence% $e ha e co ered flo$charting techni*ues too# 2.". Impact o IT on Economics o Auditing In this section $e ha e discussed the impact of IT on the nature and economics of auditing# With the emerging areas of practice and the auditors ha ing ac*uired IT skills% the economics of auditing ha e also changed# -uring the past three decades% IF!/ has issued se eral rele ant standards for auditing in a computeri&ed en ironment# These standards co er areas like risk assessment in a computeri&ed en ironment% stand'alone computers% database systems% on'line information systems% etc# Some standards issued for the manual en ironment are also applicable here# !I/"! and IS!/! ha e issued standards co ering arious areas in IS audit# Some of its standards like standards on e idence% audit planning% etc# are rele ant for financial auditors and find a mention in this section# Information Technology also impacts audit documentation% reporting% $ork papers% etc# !uditing in a computeri&ed en ironment integrates the skills and kno$ledge of traditional auditing% information systems% business and technology risks and IT impacts auditing% audit planning% audit risk% audit tools and techni*ues% etc# Since detection of risks can no$ be controlled using computer assisted tools and techni*ues% o erall audit risks can be controlled and reduced# This risk'based audit approach starts $ith the preliminary re ie$# The ne(t step is risk assessment# 7nder the audit approach% depending upon the intensity of the use of Information Technology% audit is done either through the computers or around the computers# 4nce the approach is decided% the ne(t step is to assess general IS controls and application controls# 7sing /!!Ts% the controls are assessed% e idence is collected% e aluated and reports are prepared using the information systems# 2.#. Concept o Securit! In this section $e discuss the concept of security in detail# IS resources are ulnerable to arious types of technology risks and are sub)ect to financial% producti ity and intangible losses# Resources like data actually represent the physical and financial assets of the

organi&ation# Security is a control structure established to maintain confidentiality% integrity and a ailability of data% application systems and other resources# Fe$ principles need to be follo$ed for effecti e implementation of information security# These are. !ccountability% $hich means clear apportionment of duties% responsibilities and accountability in the organi&ation+ /reation of security a$areness in the organi&ation+ /ost'effecti e implementation of information security+ Integrated efforts to implement security+ "eriodic assessment of security needs+ and Timely implementation of security# Information security is implemented using a combination of General IS controls and application controls# General IS controls include implementation of security policy% procedures and standards% implementation of security using systems soft$are% business continuity plan and information systems audit# Besides% arious other types of controls are also used for implementation like. Framing and implementing security policy+ en ironmental% physical% logical and administrati e controls+ "hysical controls including locks and key% biometric controls and en ironmental controls+ 8ogical controls like access controls implemented by the operating systems% database management systems and utility soft$are are implemented through sign'on procedures% audit trail% etc+ !dministrati e controls like separation of duties% security policy% procedures and standards+ disaster reco ery and business continuity plans+ information systems audit% etc# 2.$. IS %anagement Information systems audit is a process to collect and e aluate e idence to determine $hether the information systems safeguard assets% maintain data integrity% achie e organi&ational goals effecti ely and consume resources efficiently# The common element bet$een any manual audit and IS audit is data integrity# !ll types of audits 1information audits2 ha e to e aluate the data integrity# Since IS audit in ol es efficiency and effecti eness% it includes some elements of management and proprietary audit too#

IS audit e aluates the IS management function# !ccording to /4BIT% there are fi e IS resources# "eople% application systems% technology% data and facilities# The IS management function can be di ided into four phases% like any other management function#

6anagement 1$hich is e*ui alent for planning and organi&ation2 Implementation and deployment -irecting and controls !udit and monitoring#

In this section% $e discuss the most important acti ities and controls for each of the resources during each phase of information systems management# We also discuss $hat an IS auditor $ould like to re ie$ during each phase for each resource# !ll said and done% it should ne er be forgotten that the heart of IS audit is the systems audit% $hich re ie$s the controls implemented on the system using systems soft$are# Systems audit is a sub)ect of skills ac*uisition and not kno$ledge ac*uisition# Included is a sample checklist for 79I: audit in the section# 2.&. Avai'abi'it! o In ormation S!stems < In this section $e ha e discussed the a ailability of information systems# Security ser es three purposes ' confidentiality% a ailability and integrity# While access controls pro ide confidentiality and a ailability% business continuity process and back'up procedures pro ide a ailability# ! ailability risk is one of the ma)or technology risks# With an increase in the coupling of business processes $ith information systems% $hich are in turn e(posed to technology risks% there is a dire need to ha e a disaster reco ery plan in place# While insurance can pro ide compensation for the loss of resources% a disaster reco ery plan puts arious IS resources in place% if such disaster e er occurs# It is% therefore% a correcti e control# ! business continuity plan begins $ith business impact analysis and in ol es risk e olution and loss estimates for the outage# 4n the basis of outage costs% disaster reco ery resources are put in place# 4$ing to cost,benefit consideration% disaster reco ery resources cannot be put in place for all types of disasters# These are put in

place for the likely disasters and for critical applications# The estimations made and priorities set for the disaster reco ery plans also gi e financial auditors an idea about the risks and importance of application# This can also be a factor $hile planning for audit in a computeri&ed en ironment# 2.(. Access Contro' <

!ll information systems in ol e t$o basic soft$are called the operating system and the database# Both ha e the ability to control access to the data and applications# The operating system controls access at the directory and file le el% $hile the database controls access at the record and field le el# In this section $e discuss the capabilities of the operating systems to implement security# !pplication controls are implemented using the access control facilities of operating systems and database systems# Both pro ide an interface bet$een the application controls and general IS controls# To ensure data integrity% it is necessary to control access to the data% applications and other resources# !ll users must get )ust'minimum' access $hich has t$o aspects to it. First only authori&ed users should ha e access# Second e en authori&ed users should not ha e full access# The access should be need based# For this% all operating systems ha e t$o types of facilities% namely% authentication and authori&ation# !uthentication allo$s only the authori&ed users to access the systems# !uthori&ation% allo$s )ust'minimum'access to the files and directory# To manage both these facilities in all operating systems there is a facility called systems administration# The first thing the auditors should do% $hen they start $orking under the ne$ operating system is to get to kno$ the authori&ation% authentication and system administration functions relating to these facilities# Fortunately% all operating systems ha e more or less the same type of facilities% so the learning becomes *uicker# 2.). *atabase %anagement < -atabase pro ides t$o important features3data sharing and data independence# -ata sharing means that the users and applications share data% and data independence

means data is stored independent of applications# These features make the information system implementation easy and% at the same time% increase the security concerns# -atabase offers facilities like data dictionary and a database administrator to implement the database# ! database management system also pro ides facilities to address the concerns raised by data sharing and data independence# 0 ery database pro ides facilities to implement sign'on procedures 1user identification and authentication2 and authori&ation mechanisms# To maintain data integrity% the )ust'minimum'access rule should be follo$ed# The database facilities are used to create the audit train and to implement application controls# The data files need to be backed'up regularly# The IT !ct has prescribed that all record retention rules are also applicable to electronic records# The Reser e Bank of India has also prescribed record retention rules for the banks and the IF!/ has issued standards for database systems used in accounting information system# 4racle is the most'commonly used R-B6S in India and $orld o er% pro iding facilities to implement access controls through sign'on procedures and authori&ation# !uthori&ation is implemented through ob)ect o$nership% granting of pri ileges% and creation of roles and assignment of roles to the users# 2.+. App'ication Contro's and t,eir -unctioning< In this section% $e ha e e(plained arious types of application controls and their

functioning# Business faces t$o types of operational risks3business risks and technology risks# Technology risks are controlled and mitigated by general IS controls and business risks by application controls# 5o$e er% it is difficult to dra$ a di iding line bet$een the t$o since application controls are implemented on the facilities pro ided by general IS controls# The primary purpose of application controls is data integrity# This is achie ed by ensuring integrity of input% processing and output# !pplication control primarily deals $ith the audit ob)ects# The ob)ecti e of any audit is to erify the assertion made in the financial statements# !ssessing the applications controls can assess all se en types of assertions% made in a financial statement# /4BIT has dealt $ith application controls at length in all the phases of information systems management# !pplication controls can be di ided into.

;alidation of input+ !uthori&ation of input+ /ompleteness of input+ !ccuracy of input Integrity of stored data+ Integrity of standing data+ /ompleteness and accuracy of standing data+ /ompleteness and accuracy of processing+ Restricted access to assets and data+ /onfidentiality and integrity of output# !pplication controls being program procedures% there effecti eness can be tested either by continuous audit or by a substanti e audit using general audit soft$are# In the ne(t section% $e e(plain ho$ general audit soft$are can be used for assessing application controls# 2.1.. Eva'uation o /usiness 0is1s < The )ob of a financial auditor is to e aluate business risks# Business risks are controlled and managed by implementing application controls# Therefore% the primary duty of a financial auditor is to e aluate application controls to reduce the control risk to the minimum# /omputers follo$ the garbage'in'garbage'out principle# It is% therefore% better if application controls are e aluated for compliance# Since application controls are program procedures% if they comply $ith the internal control policies of the company once% they shall continue to comply unless changed# 5o$e er% as in the manual en ironment% compliance testing is difficult% indirect and re*uires higher cost% time and resources# Therefore% in most of the cases% substanti e testing is done# /ompliance testing is done only for the crucial systems# The aim of substanti e testing% or% for that matter% all types of testing is to e aluate the assertions made in the financial statement# That is% $hether the financial statement depicts the true and fair picture# Since the auditor cannot do much to the inherent risks and control risks% he has to plan his audit to use such tools and techni*ues% as to reduce the detection risks# /omputer assisted tools and techni*ues help here and more so general tool'set pro iding facilities to conduct substanti e testing# !/8 is the market leader in the arena of general audit soft$are# The soft$are pro ides the facilities needed by an auditor to e aluate all the se en types of assertions made in any financial statement# In addition% it also offers the facility to create $ork papers crucial in any audit assignment% besides pro iding an option to understand the data and files#

!/8 Soft$are offers tools to understand the *uantitati e features of the data as $ell as the *ualitati e features of the data# 6oreo er% it pro ides facilities to conduct substanti e testing# To enable both% the analytical procedures and substanti e testing at the transaction le el% it has utility facilities like inde(ing% sorting% )oining% setting relation% creating output files% e(porting files% e(tracting files% etc# !/8 has an e(cellent feature to create the command log# This keeps a check on the auditor% impro es the audit *uality and also pro es useful for $ork papers# 0ach !/8 document% by default% has a log file# In addition% it can also be used for testing the controls implemented on the system like the security facilities of an operating system and database# Therefore% it can also help in systems audit# 2.11. Conversion Audit < This section e(plains con ersion audit# /on ersion to the computeri&ed en ironment is fast picking up in India# The process has also been accelerated by the enactment of the Information Technology !ct% <=== and the instructions from /hief ;igilance /ommissioner to the banking sector to computeri&e >==? of their business# -ata con ersion is a part of any soft$are pro)ect# It re*uires a lot of technical competence to be able to co ert from one database to another and from one application to another# /on ersion audit is conducted to check the accuracy of such con ersion#

". Audit Organization and %anagement ".1 Organization Strateg!

/hasing best practices is not enough to ensure a highly successful audit organi&ation# To add alue to the company and e(cel in the audit $orld% internal auditors must be agile in anticipating change% using resources% and partnering $ith management to address risks and impro e operations# The audit organisation or group $hich subscribes to )ust such a philosophy and has built $hat many of its peers ha e deemed a @$orld'class@ organi&ation o er the last se eral years# The group has learned that to be successful it must generate an appropriate internal audit infrastructure% tailor audit approaches to each business unit $ithin the company% and create @o er'the'top@ results by focusing on four basic elements. people% processes% electronic platforms% and focused collaboration $ith senior management# ".1.1 2iring t,e 0ig,t 3eop'e

Internal auditing is organi&ed regionally% $ith the chief audit e(ecuti e located at the companyAs $orld head*uarters% and audit groups located around the $orld# The group is primarily focused on processes% including operations and business process and financial controls% throughout all areas of the companyAs businesses# ! di erse group of auditors brings se eral skill sets to audit areas that include pro)ect management% manufacturing% supply management% and product marketing and sales# The internal auditors $ho $ork for the group $ere hired both for their potential and their e(perience# Within the conte(t of this frame$ork% most of the auditors possess ad anced degrees and are% at least% bilingual# The audit group enhances the specific professional skills of ne$ly hired e(perienced personnel by teaching them auditing techni*ues $ithin the multifunctional electronic'systems platform# It is far more important for technical skills '' rather than audit skills '' to be the primary focus of this e(perienced group of people because deals $ith a $ide range of technology products and ser ices#

The attributes most important for less e(perienced auditors are a keen% analytical mind+ a consultati e outlook+ and potential for future mo ement into a business unit# These characteristics should be coupled $ith a tremendous curiosity% a desire to learn% and a $illingness to $ork hard in a fast'paced tra el en ironment# 4nce hired at % ine(perienced internal auditors de elop skills rapidly as they are e(posed to a ariety of business issues in se eral different companies# Typically% a team of t$o or three auditors $ill co er t$o or more ma)or business processes during field$ork that lasts up to three $eeks# The auditors obtain a di ersity of e(perience coupled $ith a commonality of basic operating and control principles that enable them to add more alue to the business each day they are there# They are also gi en $ritten performance e aluations during at least the first year to monitor progress and identify areas for impro ement# The o erall goal $ithin the group is to retain a small core of e(perienced auditors and to rotate the balance to operating units after they ha e been in the audit group for appro(imately three years# The constant mi( and change of players $ithin the audit organi&ation results in immense personal satisfaction% di ersity of $ork e(perience% and continual challenge# ".1.2 Improving Audit 3rocesses

4 er the last se eral years% internal auditing $orld$ide has made significant changes to its audit processes# The techni*ues used hardly seem re olutionary% but ha e pro en effecti e o er time# Ten years ago% the audit en ironment $as characteri&ed by. B Basic audit processes that had $asteful steps and redundancies# B 6inimal planning for indi idual audits# B Field$ork that lasted too long '' four to eight $eeks '' and $as often too detailed# B !udit reports that took too long to issue# B 5ard'copy $orkpapers that $ere often $eeks behind schedule and contained too much e(traneous data# B -is)ointed audit follo$'up# B Cey performance metrics that $ere not tracked# B !udit customers $ho did not recei e the auditorsA full attention#

Beginning $ith the upgrading of personnel resources% the internal audit group began to take steps to impro e its processes# These steps included. B 6apping basic audit processes and making necessary changes to be more efficient and to add more alue# B Re amping guidelines for internal audit operations# B Re'engineering the audit process to reduce cycle time% measure performance% and impro e consistency# B Introducing electronic audit platforms $ithin 8otus 9otes to gain significant efficiencies# B Implementing a permanent *uality process# B Impro ing customer focus# B -e eloping an audit mission and marketing brochure to help customers understand internal auditingAs mission and the skills that the auditors bring to the table# 6etrics played a key role in the successful upgrading of audit group processes by measuring key processes for impro ement# 4ther results of introducing metrics include. B !udit planning has become more current and focused since auditors began re*uiring specific information in ad ance from audit customers# B Field$ork is more focused and is accomplished in t$o to three $eeks# B ! draft audit report is no$ completed at the end of field$ork# B Final audit reports% complete $ith management action plans% are issued less than D= days after field$ork ends# B "rimary audit $orkpapers are electronic% streamlined% and completed $ithin t$o $eeks after field$ork ends+ secondary hard'copy $orkpapers are strictly limited and accessory only# B !udit follo$'ups include decision criteria by internal audit management to determine $hether follo$'ups $ill be in person or by letter and tracked electronically# B /ustomer ser ice has become a primary focus and includes a *uality *uestionnaire completed by the customer after each audit# B ! full'time audit *uality impro ement process is in place to de elop ne$ and enhanced approaches to the audit function#

The *uality impro ement program has been an important aspect of internal auditingAs o erall process impro ement initiati e# The *uality process has paid off in numerous impro ements% including streamlined audit reports and a thorough audit follo$'up process# !dditionally% at the beginning of each year% the entire audit group brainstorms and prioriti&es a list of internal audit pro)ects aimed at impro ing audit processes# 0ach auditor selects one or more *uality impro ement pro)ects for the year $ith the concurrence of the *uality coordinator and general auditor# The auditors de elop brief pro)ect descriptions and report on pro)ect status at *uarterly *uality meetings# These pro)ects are completed outside of the normal audit assignments and monitored by an audit *uality coordinator throughout the year# In the end% the pro)ects result in tangible audit process impro ements for the internal audit group# -uring the impro ement process% it became apparent that tying performance to compensation helps moti ate auditors to undertake and deli er *uality pro)ects# For the auditors $ho $ill be rotating to other parts of the company% an Internal !uditor Euality Recognition "rogram% $ith achie ement le els and corresponding substantial cash a$ards% has been de eloped# !t the end of the year% a management committee% chaired by the audit *uality coordinator% determines the program a$ards based on predetermined criteria# !$ard $inners are then recogni&ed at a group meeting# For the core staff that remains in the internal audit group% the *uality impro ement pro)ects are a factor in determining merit compensation# !nother step in the o erall internal audit *uality impro ement process in ol es holding in'person meetings $ith arious companies e(ternal to to acti ely benchmark internal audit practices# The internal auditors share processes of

interest $ith members of other organi&ations% $ho in turn brief the internal auditors on areas in $hich they ha e a particular focus# For e(ample% the auditors sa$ different aspects of control self'assessment from meeting $ith other outside audit groups# From that% the internal auditors de eloped their o$n tool to fit '' a )ointly facilitated self'assessment $ith a shared focus on operational impro ements and controls $ithin factories and pro)ects# !dditional impetus $as gi en to impro ing processes to meet the demands of the culture# For e(ample.

re*uires internal staff acti ities% including internal auditing% to bill for their

ser ices# The cycle time reductions in areas including field$ork and reporting time $ere crucial in making the internal audit group competiti e in this regard# B Internal audit processes $ere made fle(ible and nimble to meet the challenges associated $ith constant change due to ac*uisitions and di estitures and business portfolio mi( and emphasis# B The processes needed to $ork% $ith modifications% for any situation# The internal auditors perform many nonstandard audits and special re ie$s based on management re*uests# Robust and efficient processes are an integral part of building a $orld'class internal audit acti ity# 5o$e er% many companies stop here% simply adopting best practices and benchmarking# The other elements '' people% electronic platforms% and focused collaboration '' are needed to $ork in concert $ith *uality processes to produce the synergies and ultimately the results that mark leadership in internal auditing# 7SI9G 080/TR49I/ "8!TF4R6S In the mid'>FF=s% decided to use 8otus 9otes as its $orld$ide standard for group$are# Since then% internal audit has built a number of databases for audit processes using 8otus 9otes# With this base% the internal audit group has de eloped and used the follo$ing tools% all accessible $orld$ide. B 080/TR49I/ W4RC"!"0RS Incorporated into processes in late >FFG% theyA e e(panded o er the years and are used in a different format by internal audit $orld$ide# These include separate sections $ithin the $orkpapers for process flo$ documentation% inter ie$s% key document descriptions% and e en logistics information# B B0ST "R!/TI/0S -!T!B!S0 !n important tool to cross'pollinate successful practices as auditors tra el from location to location% it represents top processes of companies as identified by auditors# B TI60C00"I9G

The database can be @sliced and diced@ to analy&e hours or days by )ob% audit acti ity% and auditor# It also can accumulate billing data as $ell as perform many other functions# B 0'6!I8 Includes electronic distribution of audit reports# B R0F0R09/0 -!T!B!S0 8ocated $ithin the group% the Internal /ontrol -ocuments database includes past audit reports% audit follo$'up analyses% audit report distribution lists% key document templates% presentations% minutes of information sharing staff meetings% and other reference information# B !7-IT "R!/TI/0S R0F0R09/0 "R4GR!6S /ompiled by area# B !7-IT 6!9!G0609T !9- !7-IT "R4GR0SS -!T!B!S0S 7sed for internal administration of audits '' audit numbers% location data% team members% status% audit follo$'up% and more '' these databases are also a ailable to company management as a status of planned and acti e audits# B 6!97F!/T7RI9G !9- S7""8H 6!9!G0609T T448 CITS Repositories of data and techni*ues for these areas# B I9T0R9!8 G7I-08I90S Instructions for the operation of the audit group# B /46"!9HWI-0 "48I/I0S !9- "R4/0-7R0S !ccounting and reporting guidelines for all of # B /4R"4R!T0 -!T!B!S0S Includes electronic e(pense reporting and ne$s releases# In addition% the auditors de eloped a kit of templates for key audit documents# The kit includes Word and 0(cel frame$ork documents% such as audit

engagement letters% audit reports% management action plans replying to audit reports% auditor )ob performance e aluations% and the audit *uality *uestionnaire sent to customers follo$ing an audit# internal audit has also made e(tensi e use of the Internet# The $orld$ide Web site has a tremendous olume of data% $hich includes e erything from companies% products% and locations to employee benefit forms# Internal auditing designed its corner of the Web site to market and e(plain its acti ities and to present employment opportunities# These electronic platforms ha e made a tremendous difference to auditors in terms of accessibility and ease of use of information% cycle'time reduction% and a ailability of reference material# These efficiencies ha e enabled the internal audit group to be more producti e and to better ser e its customers# 0lectronic platforms remo e barriers of time% geography% and space limitations# !rmed $ith skilled personnel% effecti e processes% and supporti e electronic platforms% the auditors are ready to better partner $ith their customers# ".1." -ocusing on Co''aboration

By listening and offering ad ice on business and control issues on a continuous basis% the senior internal audit team has created an effecti e net$ork $ith senior management# The auditors add alue by pro iding not only $hat clients are seeking but also $hat they may need% e en if they are not a$are of it# The auditors stri e for a $in'$in en ironment by deli ering a good mi( of both# performs a $orld$ide risk assessment on $hich it bases its audit plan# /ontinuous collaboration and one'on'one meetings enable the auditors to analy&e risk on an on'going basis and e(pose hidden issues# These meetings% if they set the right $in'$in tone% can be frank e(pressions of needs by both parties to accomplish their respecti e tasks# !uditors recogni&e that the highest le el of acceptance has been reali&ed $hen customers call them for operational% control% and other corporate go ernance ad ice# Generally during these meetings% a formal agenda '' beginning $ith recent key audits and future risks '' $orks best# The auditors $ork through these issues at a *uickened pace% but $hen a ner e is hit% the auditors and management tackle it together# The auditors use arious handouts '' such as portions of audit and risk analysis reports '' and other documentation to keep senior management focused

on $here they are headed in the larger en ironment# 6anagementAs comments and concerns are carefully noted and integrated into the audit plan fre*uently# The auditorsA goals are to add alue% to be timely% and% in times of trouble% to a oid the *uestion. @Where $ere the auditorsI@ Being proacti e $ith senior management helps pre ent a @$itch hunt@ aimed at internal auditing $hen something goes $rong# The auditors further the collaboration effort by follo$ing up on past audits% $hether it be in'person% by e'mail% or by telephone# Internal auditors can prioriti&e ne$ and potential ac*uisitions of companies% some of $hich may be small% for re ie$# By integrating people% audit processes% electronic platforms% and focused collaboration $ith senior management% audit groups can become $orld'class organi&ations# 9o one factor $ill do the task alone# The synergies of integrating these elements produce a compelling en ironment that fosters e(cellence# !ny uccessful program must be ongoing and focused on continuous change# Seeking $orld'lass status is a ne er ending )ourney and not simply a destination along the $ay# ".2 IS Audit as 0evie4 %anagement

The ob)ecti es of an information system audit are to obtain reasonable assurance that an organi&ation safeguards it data processing assets% maintains data integrity and achie es system effecti eness and efficiency# In conducting an audit there are fi e ma)or phases% planning the audit% test of controls% tests of transactions% tests of balances or o erall results% and completion of the audit# This report looks at ho$ the nature of the organi&ation and its use of generali&ed application soft$are affect the conduct of each of the phases#

The organi&ation is a medium'si&e automoti e ser icing firm# The organi&ation uses a local area net$ork consisting of three microcomputers running soft$are application packages# The microcomputers are placed in different locations for different functions# It runs application soft$are packages that are $ell kno$n% $ell tested% and supplied by a reputable endor# !ll the applications are relati ely straightfor$ard# !uditing must be properly planned to achie e the results that both auditors and the organi&ation are looking for# In this first phase% planning the audit% the auditor needs to obtain an understanding of the accounting and internal control systems so as to plan the audit# The auditor should obtain an understanding of the comple(ity of the information system and also ho$ the information system en ironment influences the assessment of inherent and control risks# The auditor should start by conducting inter ie$s $ith top management and information system personnel to gather information for the audit# The auditor must obser e acti ities being carried out $ithin the information system function% re ie$ $orking papers from prior audits and re ie$ information system documentation# The auditor needs to re ie$ the information collected so as to ha e a good understanding of all the controls that e(ist $ithin the organi&ation# Re ie$ing the information system control procedures $ill help to e aluate the risks to the integrity of accounting data presented in the financial reports#

The soft$are used by the organi&ation is $ell kno$n% $ell tested% and supplied by a reputable endor# The application soft$are packages are already di ided by the functions they perform% thus simplifying comple(ity issues for the audit# Gi en the fact that the application is $ell tested by the endor% it can be implied that computer controls are in effect and should be ery effecti e# Therefore% auditor needs to concentrate on the user controls that are in place to see ho$ they can be impro ed# T$o ma)or control issues $ere raised in the case% that of modifications to the soft$are and access to the central database# The general manager has gi en the assurance that no modifications $ere made to the soft$are% and that no staff member has computer kno$ledge needed to carry out modifications to the soft$are# This may be true but controls must be in place to ensure that no modifications are made $ithout proper authority# !de*uate controls must e(ist o er the source code% ob)ect code and documentation of the package# It is mentioned that there is controlled access to the central database# The auditor must e(amine these controls since unauthori&ed access to databases can )eopardi&e the integrity of data# Some other controls that the auditor should check are systems that allo$ secure issue of or choice of pass$ords% correct alidation of pass$ord% secure storage of pass$ord and follo$ up on illicit use of pass$ords# There should be controls for unauthori&ed% inaccurate% incomplete% redundant% ineffecti e or inefficient inputs entered in the system# Input program should identify incorrect data entered and the program should use special code to correct data corrupted because of noise in a communication line# The local area net$ork is ery small% consisting of only three microcomputers but it still needs protection against natural threats and physical disasters thus it is necessary to protect the local area net$ork#

If controls are in place and are $ell designed and applied the risk e(ist that the auditor $ill fail to detect actual or potential material losses or account misstatement at the end of the audit# !uditors must determine the audit risk# In deciding the le el of inherent risk the auditor need to take into account that the organi&ation is a medium'si&ed firm in an industry that is not sub)ect to rapid changes# The industry is not sub)ect to many treats and $ould not normally be a target for abuse# In this light it can be assumed that the inherent risk $ill be lo$# To determine the control risk the auditor should look at management and application controls# 6anagement controls should be looked at first since if management controls are good there should be little need to go into in'depth application controls# If management enforces high *uality documentation standards then it is unlikely that the auditor $ill ha e to re ie$ the documentation for each application# Gi en that the soft$are is $ell kno$n and $ell tested% the application controls should be strong# Therefore the control risk should also be ery lo$ for the organi&ation# !t this point it can be concluded that the auditor should audit around the computer# The reasons for this are firstly the applications are relati e straightfor$ard and simple# Second% it is more cost effecti e to audit around the computer $hen a generali&e application soft$are is being used# The application soft$are $as pro ided by a reputable endor and is $ell tested% and the application has not been modified according to the general manager# Thirdly% since the package is $ell tested a high reliance is placed on user controls rather than computer controls# Thus there is no need to go through testing of processing logic and control in an application that is already tested by the endor# This $ould re*uire technical e(pertise to duplicate a task performed by a reputable endor#

In the second phase% test of controls% the auditor should go into more detail in re ie$ing the documentation of processes and analysis of the information the auditor is interested in# /ontrols should be analy&ed for faultiness of defect# 7ser and computer controls should be tested# Since the application is $ell tested% testing should focus on the reliability of user controls rather than the reliability of computer controls# Some of the controls that should be tested during this phase are+ unauthori&ed% inaccurate% incomplete% redundant% ineffecti e or inefficient inputs entered in the program+ output should be complete and accurate and distributed promptly to the correct recipient+ secure issue or choice of pass$ords% correct alidation of pass$ord% secure storage of pass$ord and follo$ up on illicit use of pass$ords+ segregation of duties+ a ailability of up'to'date backups% iable of up'to'date backups% $hereabouts of backup storage units and usable restore system+ reporting% recording and resol ing incidents and operational failures+ and continuity controls# In the third phase% test of transactions% testing should be centered on checking to see if material loss or account misstatement has occurred or might occur due to erroneous or irregular processing of a transaction# The application soft$are is straight for$ard $ith the necessary built in controls in place therefore there is no need to go through the entire system looking for transaction errors# The auditor should take a fe$ transactions and trace them from beginning to ending process to erify $eather transactions are handled effecti ely and efficiently# In the fourth phase% testing of balances or o erall results% the purpose is to gather sufficient e idence to make a final )udgment on the si&e of the losses or account misstatements that might ha e occur or might occur $hen the information system function fail to safeguard assets% maintain data integrity% and achie e system effecti eness and efficiency# and account balance# If auditors find that computer controls are $eak or none(istent they $ill need to do more substanti e testing on detailed test of transactions

5o$e er% in this case the endor tested all computer controls and it is safe to assume that the controls are strong and this eliminates the need for the auditors to conduct more substanti e testing# Selling of spare parts is a one of the ma)or re enue earner for the organi&ation# In this light this auditors should conduct a physical in entory of the spare parts to erify that the physical count and computer application count are the same# 4ther tests that can be done are to recalculate depreciation on fi(ed assets% and confirmation of recei ables# In the fifth phase% completion of the audit% additional test to bring the audit to a close are generally conducted# These include re ie$s for subse*uent e ents and contingent liabilities# The auditor must then formulate an opinion as to $eather material loss or account misstatements ha e occurred and issue a report# The auditor should pro ide management $ith a report documenting control $eaknesses+ identify potential conse*uences of these $eaknesses and recommendations for remedial actions# It $as notice that no controls are in place against unauthori&ed program changes% in that case auditors must note that $eakness% letting management kno$ that unauthori&ed changes can destroy the functionality of the application and suggest $ays of elimination that treat# Some recommendations the auditor can make are as follo$s+ the need to strengthen security for the organi&ations information assets by de eloping disaster reco ery plans and business continuity plans+ re ie$ing of technical staffs access to programs and data+ track of staff acti ities+ limiting the files and other resources authenticated users can access and actions $hich they can e(ecute+ and de elopment of internal controls to ensure against authori&ed program changes# There is no right or $rong approach to conducting an information system audit# There are factors that must be taken into account during the planning phase of the audit+ these factors determine the approach the auditor takes# !s $as seen in this case% the fact that it $as a medium'si&e% lo$ risk organi&ation using a generali&ed application soft$are that $as not modified $ere the main factors that determined the approach that $ould be taken by the auditor#

#. 0is1 /ased Audit -rame4or1 #.1 Introduction to t,e 0is1=/ased Audit -rame4or1< This guide is intended to assist managers in meeting the Policy on Transfer Payments 1"T" June <===2 risk'related re*uirements that support go ernment'$ide directions for more corporate and systematic management of risk in the design and deli ery of programs# For e(ample% emphasis is placed on incorporating risk in the initial stages of program planning by stipulating that. KLMThe type of transfer payment that a department uses to meet its program ob)ecti es is determined by the departmental mandate% business lines% clients and an assessment o ris1s.> The "T" also refers to the follo$ing t$o re*uirements that are fulfilled through the de elopment of an RB!F. KLMIt is go ernment policy to manage transfer payments in a manner that is sensitive to ris1s% comple(ity% accountability for results and economical use of resourcesNO PSection Q#=R+ KLM-epartments must de elop a ris1=based audit rame4or1 for the audit of contributionsNO PSection S#QR# ! primary impetus for the go ernment'$ide management'change initiati e on risk arose from obser ations and recommendations made in the 1997 Report of the Independent Panel on Modernization of Comptrollership in the Government of Canada # The report found that. KLMNkey responsibilities for go erning bodies N PincludeR. understanding t,e ris1s associated 4it, t,e t!pe? 'eve' and ;ua'it! of the ser ice go ernment decides to 1or not to2 pro ide% $hether directly or indirectly% and ensuring t,at appropriate means are in p'ace to manage t,ese ris1sNO KLMNareas that increasingly demand managerial e(cellence NPincludeR. matching more creati e and client'dri en decision making and business approaches $ith so'id ris1 managementNO In this conte(t% Treasury Board of /anada Secretariat 1TBS2 ackno$ledged the importance and benefits of systematic risk management as a strategic in estment in the attainment of o erall business ob)ecti es and demonstration of good go ernance# !s a result% increased emphasis is being placed on $orking together% at all le els% to create

management regimes $hich are based on leadership and alues% $ell'defined standards and control systems as $ell as so'id ris1 management# In addition to the "T"% TBS has promoted the integration of systematic risk management practices in other key policies and guidelines% such as. KLthe Inte rated Ris! Mana ement Frame"or! 1!pril <==>2 $hich establishes the e(pectation that implementing the Frame$ork $ill Mstrengthen accountability by demonstrating that 'eve's o ris1 are e@p'icit'! understoodO+ and KLthe #ctive Monitorin Policy 1June <==>2 $hich stipulates that Mdepartments must acti ely monitor their management practices and controls using a ris1= based approac,#O The sections $hich follo$ describe the underlying ob)ecti es and components of an RB!F and pro ide guidance in its de elopment and preparation# #.1.1 7,at is an 0/A-8

The RB!F is a management document that e(plains ho$ risk concepts are integrated into the strategies and approaches used for managing programs that are funded through transfer payments# The RB!F pro ides. KLbackground and profile information on the transfer payment program including the key inherent risk areas 1internal and e(ternal2 that the program faces+ KLan e(plicit understanding of the specific risks that may influence the achie ement of the transfer payment program ob)ecti es+ KLa description of e(isting measures and proposed incremental strategies for managing specific risks+ and KLan e(planation of monitoring% recipient auditing% internal auditing% and reporting practices and procedures#

4.1.2

7,! *o 7e Need an 0/A-8 programs operate in an en ironment that in ol es many

Transfer payment

interconnections% including those that stem from global e(pectations% go ernance re*uirements% authorities and arious risk dri ersT# !ll these factors affect the design and implementation of the program# Risk'Based !udit Frame$orks can cost'effecti ely and efficiently assist managers in operating in this comple( en ironment by.

KLenhancing managers and employees understanding and communication of risk and related mitigation options+ KLstrengthening accountability for achie ing ob)ecti es and ste$ardship o er public funds+ KLfacilitating managers achie ement of go ernment'$ide re*uirements for solid risk management+ KLpro iding a basis upon $hich to create contingency plans+ KLhelping to secure funding for ne$ or rene$ed programs+ and KLenhancing information for decision'making# #.1." *eve'opment and Imp'ementation o t,e 0/A-8

The key parties that should be in ol ed in the de elopment and implementation of an RB!F are as follo$s. KL6anagers of the program $ho ha e primary responsibility for ensuring that the RB!F reflects an accurate and comprehensi e analysis of potential risks to the achie ement of ob)ecti es as $ell as cost'effecti e monitoring% mitigation and reporting strategies+ KLInternal !udit and program staff $ho could pro ide e(pert ad ice and technical support in risk identification% assessment and monitoring as $ell as take a lead role in preparing the Internal !uditing section of the RB!F+ KL0 aluation staff $ho could pro ide kno$ledge and e(pertise% in recognition of the potential for o erlap bet$een R6!Fs and RB!Fs and in cases $here the R6!F and RB!F are being integrated+ and KLTBS "rogram and /enter of 0(cellence for Internal !udit analysts% $ho ha e assigned responsibilities and kno$ledge of program and RB!F re*uirements respecti ely% and can pro ide ad ice during their preparation# -eli ery partners,co' deli erers and interested parties may also be in ol ed as collaborators# #.1.# 3'anning and 3reparing an 0/A-

The le el of detail included in an RB!F document $ill ary according to the nature% comple(ity and sensiti ity of the programs# In planning and de eloping the le el of information and effort re*uired to prepare the RB!F% consideration should be gi en to the follo$ing.

KLuncomplicated

programs

$ith

lo$

materiality

and

straightfor$ard

accountability and risk management en ironment $ould re*uire a less detailed and resource intensi e RB!F+ KLhigh priority and comple( programs $ith significant materiality 1relati e to the o erall departmental budget2 and a di ersified and comple( en ironment $ould re*uire a more detailed RB!F and a larger in estment of time and effort+ KLthe breadth and comple(ity of the programs R6!F could be used as a guidepost for RB!F de elopment+ and KLmeaningful information should be pro ided in each section of the RB!F# The ne(t sections of this document $ill guide the reader through the components of an RB!F and the steps in ol ed in their de elopment# #.2 Components o an 0/AThe RB!F consists of the follo$ing key components. The preparation of the RB!F in ol es a systematic and analytical process# This section of the guide takes managers and specialist ad isors through the distinct steps in this process U the product of each step being a key element of the final frame$ork# #.2.1 Introduction KLThe RB!F should be introduced $ith a concise e(planation of the purpose of the RB!F in conte(t of "T" re*uirements and the demonstration of good go ernance# KL! brief description of the program background should be pro ided to set the o erall conte(t# Background information $ould include e ents gi ing rise to the program% the nature of the contribution agreement 1i#e# payable% non'repayable2% magnitude of the transfer payments and the timeframe of the funding authority# KLIf program management chooses to integrate the RB!F $ith the R6!F% this section should be used to briefly outline the points and e(tent of integration# #.2.2 0o'es? 0esponsibi'ities and 0e'ations,ips

a6 3urpose This section should clearly delineate the respecti e roles and responsibilities of management and I! in fulfilling the "T" monitoring% auditing and RB!F re*uirements# ! summary of the recipients role and responsibilities for complying to terms and conditions should also be pro ided# b6 3rocess The "T" 1Section S#Q2 and the Guide on Grants% /ontributions and 4ther Transfer "ayments delineate the roles and responsibilities of management and I!# KL%anagement is responsible for ongoing financial and operational monitoring and the audit of recipients compliance to terms and conditions and the audit of recipients# The audit of recipients can also e(amine $hether results data is reliable# KLInterna' AuditAs 5IA6 role is to employ risk'based methodologies in planning and conducting audits to pro ide assurance on the ade*uacy of integrated risk management practices% management control frame$orks and information used for decision'making and reporting on the achie ement of o erall ob)ecti es# 6anagement is responsible for applying and describing the risk'based approach in the selection of recipient audits# If management is not familiar $ith a risk'based methodology% I! could be of assistance in discharging this responsibility# >= While management has o erall responsibility for the RB!F% I! is responsible for employing a risk'based approach in establishing $hether the o erall transfer payment program should be sub)ect to audit# !s such% I! should complete the Internal !uditing section PSection G#=R of the RB!F# 6anagers and I! should consult as soon as the RB!F re*uirement had been identified# They should reach an agreement on the collaboration needed to complete the Recipient !uditing and Internal !uditing sections of the RB!F# To facilitate a common understanding of compliance and ongoing monitoring re*uirements% it may also be beneficial to articulate recipients roles and responsibilities for meeting contribution agreement terms and conditions# c6 3roduct ! statement of roles% responsibilities and relationships bet$een "T" management% I! and recipients# #.2." 3rogram 3ro i'e a6 3urpose The "rogram "rofile should pro ide the conte(t and the key areas of inherent risk 1Cey Risk !reas2 that e ol e from the transfer payment programs ob)ecti es and en ironment# 4 erall% the profile assists the manager in.

KLmeeting good go ernance e(pectations through a sound understanding of the accountability and risk management en ironment+ and KLconducting a more efficient and effecti e detailed identification and assessment of risk for the Risk !ssessment and 6anagement Summary in the ne(t RB!F component# b6 3rocess The "rogram "rofile should be de eloped $ith reference to the organi&ations outcomes and design information that has been compiled during recent business planning and the de elopment of the R6!F# !s a first step in the process% the M"erformance "rofileO and other pertinent R6!F data should be erified $ith participating managers# /learly articulated ob)ecti es and conte(t $ill pro ide the basis for further internal and e(ternal en ironmental analysis and identification of the Cey Risk !reas that e ol e from the mandate# In this conte(t% for ongoing programs% any recent internal audit or e aluation should be described% particularly the effect that their results may ha e had on the program# In the case of a small% uncomplicated program% the "rofile can be de eloped by the manager alone# 5o$e er% as the comple(ity and magnitude of the program increases% greater detail $ill be re*uired from key kno$ledgeable stakeholders to ensure all Cey Risk !reas are identified and ade*uately described# Cno$ledgeable stakeholders include e(perienced program staff% internal audit and e aluation ad isor1s2 and% if deemed necessary% e(ternal stakeholders# The in ol ement of a risk management ad isor may also be re*uired% depending on the degree of program comple(ity# c6 3roduct The "rofile should include. KLthe background% underlying rationale% ob)ecti es and need for the program+ KLthe target population% resources% product groups% deli ery mechanisms% T"" stacking pro isions and go ernance structure+ and KLthe key internal and e(ternal areas of risk 1Cey Risk !reas2 that e ol e from the legislation% mandate% program design and,or operating en ironment $here there is a potential for significant impact on performance 1i#e# anticipates% in macro terms% the $ork to be done in the ne(t section2# #.2.# 0is1 Identi ication? Assessment and %anagement Summar! The key risks should ideally be identified% assessed% and associated mitigation measures either implemented or in progress% prior to the de elopment of the proposed Treasury

Board submission 1in the case of ne$ policy initiati es% prior to the 6emorandum to /abinet2# If a ailable% the departmental Integrated Risk 6anagement Frame$ork 1IR6F2 $ould be a primary source of reference or at least a starting point#

a) 3urpose The purpose of this component is to ensure an e(plicit understanding of

the le el of key risks# Through systematic risk identification% assessment and de elopment of response or mitigation procedures% managers $ill ac*uire an e(plicit understanding of all aspects of key risks# Furthermore% this component pro ides insight into the main operational measures% including controls used to mitigate key risks and thereby contributes data rele ant to the e(planation of "rogram 6onitoring presented in Section ".$#

b) 3rocess The preparation of the Risk !ssessment and 6anagement Summary

section generally re*uires input from a team of managers and kno$ledgeable staff $ithin the program area% supported by arious functional groups# The team should carry out the follo$ing steps. 3reparation Steps KL/onsider $ho should participate KL/learly define risk KL0stablish a time hori&on KL/ustomi&e a risk matri( KL/onsider other tool re*uirements 3rocess Steps 1. Understand Objectives KL/learly articulate and understand the programs ob)ecti es $ith reference to the outcomes established in the R6!F 8ogic 6odel# 2. 0is1 Identi ication KLIdentify risk areas 1sources of risk2 related to the achie ement of ob)ecti es 1e#g# e ents% ha&ards% issues% lost opportunities and circumstances that could lead to an impact on ste$ardship% deli ery% outputs% outcomes% etc#2+ and KL/onduct a preliminary intuiti e analysis of the risk le el of each area 1high% medium% lo$2 to select the risk areas that re*uire further analysis# ". 0is1 Assessment KL!rticulate the particular concerns and e(isting mitigation measures for the risk areas selected for detailed analysis+ and KL!ssess the likelihood and impact of an undesirable effect% gi en e(isting mitigation measures% to arri e at a residual le el of risk#

#. 0is1 0esponse or %itigation KL0stablish incremental response strategies to a oid% share% transfer% accept and manage the risk# $. Be! 0is1 Summaries KLSummari&e the Cey Risks and related particular concerns% e(isting measures% and Incremental Risk 6anagement Strategies# c6 3roduct The Risk !ssessment and 6anagement Summary should include. KL! methodology section $hich e(plains the risk definition and model+ KL! brief description of the process steps follo$ed+ KLThe identification of parties in ol ed in the process+ KL! Risk 6atri( to e(plain the criteria and define the le els of impact and likelihood KL!n elaboration of the Cey Risk !reas that $ere used in the "rofile section to e(plain the o erall risk conte(t of the program+ and KLsummaries of the Cey Risks that $ere identified including particular concerns% e(isting mitigation measures and incremental risk response strategies% if re*uired# #.2.$ 3rogram %onitoring and 0ecipient Auditing

a) 3urpose The purpose of this section is to pro ide a description of the monitoring
and recipient auditing practices% $hich are to be undertaken by management# It should reflect the risk identification and elaboration $ork done in the pre ious section+ in particular% it should reflect the mitigation 1in this case% monitoring or recipient auditing2 of those risks for $hich the response $as to implement controls# This section should reflect all acti ities related to monitoring of the o erall program and the recipients compliance $ith terms and conditions through detailed operational and financial procedures#

b) 3rocess %onitoring The description of o erall monitoring should demonstrate

that management has those risks for $hich the mitigation strategy $as controls co ered by ade*uate means and measures# Typical monitoring ob)ecti es $ould include. KL!chie ement of established outputs,outcomes+ KLRisks or impediments to the achie ement of outputs,outcomes+ KL-ue diligence in determining eligibility of recipients and the e(penditures of funds+

KLThe efficient% effecti e and economical use of resources% and KLWhether or not the program is being administered in accordance $ith appropriate terms and conditions at all stages of the transfer payment life cycle 1i#e# selection% administration% deli ery and reporting2# The description of detailed monitoring of compliance should outline the operational and financial procedures% including. KLInter ie$s and documentation re ie$s to assess milestone achie ements+ KL0(pense claim erification procedures+ KLStacking re*uirements erification procedures+ and KLRe ie$s of recipient financial statements# The e(isting and incremental mitigation measures for key risks% included in the "rogram Risk !ssessment% Identification and 6anagement Summary section% pro ide rele ant and current information for the preparation of the o erall monitoring section# The Results'based 6anagement and !ccountability Frame$ork 1R6!F2 should also pro ide rele ant information $ith regard to monitoring the achie ement of outcomes# 0ecipient Auditing Recipient auditing is often the only effecti e $ay to establish. KLThat funds $ere used for intended purposes+ KL/ompliance $ith terms and conditions+ and KLReliability of results data# Recipient !uditing is applicable to contribution agreements due to their conditional nature# In cases $here contribution agreements allo$ recipients to establish sub' agreements% management may also choose to audit the third% fourth% etc# party recipients sub'agreement acti ities+ i#e# all the links of the chain through to the end recipient 1and the original Terms and /onditions of the /ontribution !greement should pro ide for this2# "articular attention should be paid to !lternati e Ser ice -eli ery 1!S-2 arrangements% i#e# $here another party deli ers the funds to the end recipient on behalf of the program manager% as this arrangement is inherently higher risk than direct deli ery to the recipient# Grant programs conduct strict eligibility checks before issuing grants# 5o$e er% once grants are issued% there is no further re*uirement to erify the recipients use of funds% i#e# recipient auditing is not applicable in this instance# The "T" sets out the re*uirement for a Mrisk'basedO approach for determining $hether or not an audit should be conducted and if conducted% its ob)ecti es% scope and e(tent# The risk methodology used here should

be consistent $ith that used in the pre ious section for program risk identification% assessment and management# In fact% the results of the risk assessment performed in the pre ious section 1particularly those risk factors ha ing to do $ith the recipient2 should be brought for$ard and augmented% as needed% by factors that may not ha e been identified there 1e#g# kno$ledge of the recipient kno$n by the Finance or Internal !udit groups% but not to the program manager2 and further augmented by Maudit riskO factors 1i#e# risk factors ha ing to do $ith the possibility of the auditor dra$ing the $rong conclusion U concluding that all is $ell $hen it is not or that all is not $ell $hen it% in fact% is2# This section should describe the process used for deciding on and planning recipient audits% considering the follo$ing steps. ># !udit 4b)ecti es KL0stablish the audit ob)ecti es to erify compliance $ith terms and conditions and% if re*uired% the reliability of results data# <# Risk Identification and !ssessment /riteria KL-e elopment of a risk'based matri( and criteria to analyse the le el of risk associated $ith recipients of contributions# D# Risk Factors Rating KL/onsider each audit risk factor and assign a rating# /alculate the o erall risk rating% as 84W% 60-I76 or 5IG5 risk# T# !udit "lanning -ecisions KLBased on o erall risk ratings% determine the nature% scope and timing and sampling strategy% if any% for conducting recipient audits 1or% $here the second% third% etc# party is acting on behalf of the program manager 1i#e# an !S- arrangement2% end party audits2#

c) 3roduct This section includes.

KLa complete and concise e(planation of e(isting and planned monitoring acti ities+ and KLa summary of the methodology used and decisions taken on conduct of recipient audits% including cost# #.2.& Interna' Auditing

a6 3urpose !n internal audit of a transfer payment program can pro ide aluable assistance to management by pro iding assurance as to the soundness of the risk management strategy and practices% the management control frame$ork and practices and the information being used for decision making and reporting# Specifically% internal audits may e(amine $hether. KL-ue diligence is e(ercised $ith regard to the e(penditure of public funds+ KLThe program is administered in accordance $ith the terms and conditions of the funding authority+ KLRele ant legislation and policy 1e#g# Sections D<% DD and DT of the Financial !dministration !ct and Transfer "ayment "olicy2 are being respected+ KLThe program has a risk management strategy and $hether systematic risk management is used% $here the magnitude and comple(ity of issues $ould $arrant+ and KLThe *uality of information is ade*uate for decision'making# b6 3rocess The process for planning internal audits is risk'based and the responsibility of I!# Transfer payment program management should consult $ith I! as soon as the need for an RB!F is identified 1preferably at the 6emorandum to /abinet stage or at least $hen the need for a submission has been identified2 in order to make arrangements for I! input to the rele ant RB!F components# To maintain consistency% the risk assessment methodology used for internal audit decisions should be the same as the one used for program and recipient audit risk assessment+ i#e# the results of the program risk assessment should be brought for$ard and augmented by risk factors that the internal audit group may be a$are of% but that the program managers $ere not 1e#g# corporate support risk factors and Maudit riskO2# Refer to !ppendi( / for details# It is recogni&ed that the internal audit function and related planning are ongoing and that% in the case of an ongoing program% they may ha e already considered the relati e risk of the sub)ect program and scheduled% or not% an audit of the program for a specific time in the future or an audit of the program may ha e already been performed recently# If that is the case% then it $ould suffice to indicate the results of the audit performed and,or the details of future plans% including e(pected costs# 5o$e er% in the case of a ne$ program a complete risk assessment $ould ha e to be retrofitted to the e(isting internal audit plan and the results described here% including ob)ecti e% scope% timing and e(pected costs# c6 3roduct the products% $hich should be pro ided by I!% are.

KL! description of the results of any recent internal audits performed+ KL!nticipated audit ob)ecti es% scope timing and e(pected cost% in cases $here the need for an audit has been affirmed by I!+ and KL! description of the risk'based audit planning methodology used for all departmental programs 1including Transfer "ayment "rograms2+ KLIf it is decided that no internal auditing $ill be performed% there should be an e(planation of that decision# #. 2.( 0eporting Strategies

a) 3urpose The final component of the RB!F ensures that plans are in place to
systematically report 1both internally and e(ternally2 on the results of ongoing monitoring% recipient auditing internal auditing and e aluation# 19ote% if reporting of e aluation results is already pro ided for in the R6!F% it may simply be copied here for completeness purposes2#

b) 3rocess There are many potential users of this information and the reporting
strategy should consider all of their needs 1e#g# management decision'making% accountability and communication,information sharing2# "otential users of risk information include program management% central agencies and internal and e(ternal stakeholders#

c) 3roduct !t the minimum% the reporting strategy should include a description of.
KL"eriodic reports $hich are produced for monitoring purposes+ KL!greed upon recipient audit reports+ KL0 aluation reports+ KLInternal audit reports that $ill be pro ided+ KLWho is responsible 1especially $hen multiple parties are in ol ed2 for producing reports+ and KLThe mechanisms 1e#g# annual progress reports% mid'term reports% -epartmental "erformance Reports2 and timeframes for reporting on operational monitoring% recipient and internal audits to the lead department% TBS% TB 6inisters and,or "arliament# #." 0/A-9 0%A- Integration /ene its o Integrated 3er ormance and 0is1 Assessment and 0eporting<

The "T" also re*uires that management de elop a Results'Based 6anagement and !ccountability Frame$ork 1R6!F2 to pro ide measurement and e aluation strategies for assessing the performance of a transfer payment program# The RB!F and R6!F are complimentary documents that pro ide managers $ith the means and measures for enhancing program monitoring and reporting# In this regard% the RB!F and R6!F ha e natural points of integration that relate to the typical analytical and planning approaches used by managers to monitor program operations and performance# For e(ample% it is *uite natural for program managers to simultaneously contemplate performance and risk issues $hen considering $hether or not program ob)ecti es $ill be achie ed# This integrated thinking facilitates the de elopment of practices and procedures that fulfil the dual function of promoting the achie ement of ob)ecti es and mitigating risks to performance# The links bet$een performance and risk% including data collection elements 1baseline data2 and control frame$orks% should be considered at the beginning of the program lifecycle# This integrated approach $ill assist in clearly identifying all ob)ecti es% the program conte(t as $ell as potential internal and e(ternal risks to the achie ement of ob)ecti es# In this regard% it is recogni&ed that the RB!F must be Mrisk sensiti eO and that the R6!F must be Mperformance sensiti eO% i#e# linking risk to the program outcomes and performance measurement strategies#

$. IS Audit Standards $.1 Code o 3ro essiona' Et,ics The Information Systems !udit and /ontrol !ssociation% Inc# 1IS!/!2 sets forth this Code of Professional $thics to guide the professional and personal conduct of members of the !ssociation and,or its certification holders# 6embers and IS!/! /ertification holders shall. ># Support the implementation of% and encourage compliance $ith% appropriate standards% procedures and controls for information systems# <# "erform their duties $ith due diligence and professional care% in accordance $ith professional standards and best practices# D# Ser e in the interest of stakeholders in a la$ful and honest manner% $hile maintaining high standards of conduct and character% and not engage in acts discreditable to the profession# T# 6aintain the pri acy and confidentiality of information obtained in the course of their duties unless legal authority re*uires disclosure# Such information shall not be used for personal benefit or released to inappropriate parties# Q# 6aintain competency in their respecti e fields and agree to undertake only those acti ities% $hich they can reasonably e(pect to complete $ith professional competence# G# Inform appropriate parties of the results of $ork performed+ re ealing all significant facts kno$n to them# V# Support the professional education of stakeholders in enhancing their understanding of information systems security and control# Failure to comply $ith this Code of Professional $thics can result in an in estigation into a members or certification holders conduct and% ultimately% in disciplinary measures# $.2 IS Auditing Standards The speciali&ed nature of information systems 1IS2 auditing and the skills necessary to perform such audits re*uire standards that apply specifically to IS auditing# 4ne of the goals of the Information Systems !udit and /ontrol !ssociation 1IS!/!2 is to ad ance

globally applicable standards to meet its ision# The de elopment and dissemination of the IS !uditing Standards are a cornerstone of the IS!/! professional contribution to the audit community# The frame$ork for the IS !uditing Standards pro ides multiple le els of guidance. Standards define mandatory re*uirements for IS auditing and reporting# They inform. U IS auditors of the minimum le el of acceptable performance re*uired to meet the professional responsibilities set out in the IS!/! /ode of "rofessional 0thics for IS auditors U 6anagement and other interested parties of the professions e(pectations concerning the $ork of practitioners U 5olders of the /ertified Information Systems !uditor 1/IS!2 designation of re*uirements# Failure to comply $ith these standards may result in an in estigation into the /IS! holderAs conduct by the IS!/! Board of -irectors or appropriate IS!/! committee and% ultimately% in disciplinary action# Guidelines pro ide guidance in applying IS !uditing Standards# The IS auditor should consider them in determining ho$ to achie e implementation of the standards% use professional )udgment in their application and be prepared to )ustify any departure# The ob)ecti e of the IS !uditing Guidelines is to pro ide further information on ho$ to comply $ith the IS !uditing Standards# "rocedures pro ide e(amples of procedures an IS auditor might follo$ in an audit engagement# The procedure documents pro ide information on ho$ to meet the standards $hen performing IS auditing $ork% but do not set re*uirements# The ob)ecti e of the IS !uditing "rocedures is to pro ide further information on ho$ to comply $ith the IS !uditing Standards# Resources should be used as a source of best practice guidance# The /4BIT Frame"or! states% @It is managementAs responsibility to safeguard all the assets of the enterprise# To discharge this responsibility as $ell as to achie e its e(pectations% management must establish an ade*uate system of internal control#@ /4BIT pro ides a detailed set of controls and control techni*ues for the information systems management en ironment# Selection of the most rele ant material in /4BIT applicable to the scope of the particular audit is based on the choice of specific /4BIT IT processes and consideration of /4BIT information criteria#

!s defined in the /4BIT Frame"or!% each of the follo$ing is organi&ed by IT management process# /4BIT is intended for use by business and IT management% as $ell as IS auditors+ therefore% its usage enables the understanding of business ob)ecti es% communication of best practices and recommendations to be made around a commonly understood and $ell'respected standard reference# /4BIT includes. /ontrol 4b)ecti es35igh'le el and detailed generic statements of minimum good control /ontrol "ractices3"ractical rationales and Mho$ to implementO guidance for the control ob)ecti es !udit Guidelines3Guidance for each control area on ho$ to obtain an understanding% e aluate each control% assess compliance and substantiate the risk of controls not being met 6anagement Guidelines3Guidance on ho$ to assess and impro e IT process performance% using maturity models% metrics and critical success factors# It pro ides a management'oriented frame$ork for continuous and proacti e control self'assessment specifically focused on. U "erformance measurement35o$ $ell is the IT function supporting business re*uirementsI 6anagement Guidelines can be used to support self'assessment $orkshops% and they also can be used to support the implementation U U U by management of continuous monitoring and impro ement procedures as part of an IT go ernance scheme# IT control profiling3What IT processes are importantI What are the critical success factors for controlI !$areness3What are the risks of not achie ing the ob)ecti esI Benchmarking3What do others doI 5o$ can results be measured and comparedI 6anagement Guidelines pro ides e(ample metrics enabling assessment of IT performance in business terms# The key goal indicators identify and measure outcomes of IT processes% and the key performance indicators assess ho$ $ell the processes are performing by measuring the enablers of the process# 6aturity models and maturity attributes pro ide for capability assessments and benchmarking% helping management to measure control capability and to identify control gaps and strategies for impro ement#

$." IS Auditing :uide'ines Selection of the most rele ant material in /4BIT applicable to the scope of the particular audit is based on the choice of specific /4BIT IT processes and consideration of /4BITs information criteria# In the case of this specific audit area% Re ie$ of Internet Banking% the processes in /4BIT likely to be the most rele ant are. selected Plan and &r anise IT processes% selected #c'(ire and Implement IT processes% selected )eliver and S(pport% and selected Monitor and $val(ate# Therefore% /4BIT guidance for the follo$ing processes should be considered rele ant $hen performing the audit. K "4>3-efine a Strategic IT "lan K "4D3-etermine Technological -irection K "4S30nsure /ompliance $ith 0(ternal Re*uirements K "4F3!ssess Risk K !I<3!c*uire and maintain application soft$are K !ID3!c*uire and maintain technology infrastructure K !IT3-e elop and maintain procedures K !IQ3Install and accredit systems K !IG36anage /hanges K -S>3-efine and 6anage Ser ice 8e els K -S<36anage Third'party Ser ices K -SD36anage performance and capacity K -ST30nsure /ontinuous Ser ice K -SQ30nsure Systems Security K -SS3!ssist and !d ise /ustomers K -S>=36anage "roblems and Incidents K -S>>36anage -ata K 6>36onitoring the "rocess K 6<3!ssess Internal /ontrol !de*uacy The information criteria most rele ant to an Internet Banking audit are. K "rimary. confidentiality% integrity% a ailability% compliance and reliability

K Secondary. effecti eness and efficiency

&. Use o Computer=Assisted Audit Tec,ni;ues 5CAATs6

&.1. /ac1ground 6.1.1 Linkage to COBIT Standards &.1.1.1 Standard =G= 1"erformance of !udit Work2 states @-uring the course of the audit% the IS auditor should obtain sufficient% reliable and rele ant e idence to achie e the audit ob)ecti es# The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this e idence#@ &.1.1.2 Standard =Q= 1"lanning2 states @The IS auditor should plan the information systems audit co erage to address the audit ob)ecti es and to comply $ith applicable la$s and professional auditing standards#@ &.1.1." Standard =D= 1"rofessional 0thics and Standards2 states @The IS auditor should e(ercise due professional care% including obser ance of applicable professional auditing standards#@ 6.1.2 Need for Guideline &.1.2.1 /omputer !ssisted !udit Techni*ues 1/!!Ts2 are important tools for the IS auditor in performing audits# &.1.2.2 /!!Ts include many types of tools and techni*ues% such as generalised audit soft$are% utility soft$are% test data% application soft$are tracing and mapping% and audit e(pert systems# &.1.2." /!!Ts may be used in performing arious audit procedures including.

Tests of details of transactions and balances !nalytical re ie$ procedures /ompliance tests of IS general controls /ompliance tests of IS application controls "enetration testing

&.1.2.# /!!Ts may produce a large proportion of the audit e idence de eloped on IS audits and% as a result% the IS auditor should carefully plan for and e(hibit due professional care in the use of /!!Ts#

&.1.2.$ This Guideline pro ides guidance in applying IS auditing standards# The IS auditor should consider it in determining ho$ to achie e implementation of the abo e Standards% use professional )udgment in its application and be prepared to )ustify any departure# &.1.2.& This guidance should be applied in using /!!Ts regardless of $hether the auditor concerned is an IS auditor # &.2. 3'anning 6.2.1 Decision Factors for sing C!!Ts &.2.1.1 When planning the audit% the IS auditor should consider an appropriate combination of manual techni*ues and /!!Ts# In determining $hether to use /!!Ts% the factors to be considered include.

/omputer kno$ledge% e(pertise% and e(perience of the IS auditor ! ailability of suitable /!!Ts and IS facilities 0fficiency and effecti eness of using /!!Ts o er manual techni*ues Time constraints Integrity of the information system and IT en ironment 8e el of audit risk

6.2.2 C!!Ts "lanning Ste#s &.2.2.1 The ma)or steps to be undertaken by the IS auditor in preparing for the application of the selected /!!Ts are.

Set the audit ob)ecti es of the /!!Ts -etermine the accessibility and a ailability of the organisationAs IS facilities% programs,system and data -efine the procedures to be undertaken 1e#g#% statistical sampling% recalculation% confirmation% etc#2 -efine output re*uirements -etermine resource re*uirements% i#e#% personnel% /!!Ts% processing en ironment 1organisationAs IS facilities or audit IS facilities2 4btain access to the organisationAs IS facilities% programs,system% and data% including file definitions -ocument /!!Ts to be used% including ob)ecti es% high'le el flo$charts% and run instructions

6.2.$ !rrange%ents &it' t'e !uditee &.2.".1 -ata files% such as detailed transaction files% are often only retained for a short period of time+ therefore% the IS auditor should make arrangements for the retention of the data co ering the appropriate audit time frame# &.2.".2 !ccess to the organisationAs IS facilities% programs,system% and data% should be arranged for $ell in ad ance of the needed time period in order to minimise the effect on the organisationAs production en ironment# &.2."." The IS auditor should assess the effect that changes to the production programs,system may ha e on the use of the /!!Ts# In doing so% the IS auditor should consider the effect of these changes on the integrity and usefulness of the /!!Ts% as $ell as the integrity of the programs,system and data used by the IS auditor # 6.2.( Testing t'e C!!Ts &.2.#.1 The IS auditor should obtain reasonable assurance of the integrity% reliability% usefulness% and security of the /!!Ts through appropriate planning% design% testing% processing and re ie$ of documentation# This should be done before reliance is placed upon the /!!Ts# The nature% timing and e(tent of testing is dependent on the commercial a ailability and stability of the /!!Ts# 6.2.) Securit* of Data and C!!Ts &.2.$.1 Where /!!Ts are used to e(tract information for data analysis the IS auditor should erify the integrity of the information system and IT en ironment from $hich the data are e(tracted# &.2.$.2 /!!Ts can be used to e(tract sensiti e program,system information and production data that should be kept confidential# The IS auditor should safeguard the program,system information and production data $ith an appropriate le el of confidentiality and security# In doing so% the IS auditor should consider the le el of confidentiality and security re*uired by the organisation o$ning the data and any rele ant legislation# &.2.$." The IS auditor should use and document the results of appropriate procedures to pro ide for the ongoing integrity% reliability% usefulness% and security of the /!!Ts# For e(ample% this should include a re ie$ of program maintenance and program change controls o er embedded audit soft$are to determine that only authorised changes $ere made to the /!!Ts#

&.2.$.# When the /!!Ts reside in an en ironment not under the control of the IS auditor% an appropriate le el of control should be in effect to identify changes to the /!!Ts# When the /!!Ts are changed% the IS auditor should obtain assurance of their integrity% reliability% usefulness% and security through appropriate planning% design% testing% processing and re ie$ of documentation before reliance is placed on the /!!Ts# &." 3er ormance o Audit 7or1 6.$.1 Gat'ering !udit +,idence &.".1.1 The use of /!!Ts should be controlled by the IS auditor to pro ide reasonable assurance that the audit ob)ecti es and the detailed specifications of the /!!Ts ha e been met# The IS auditor should.

"erform a reconciliation of control totals if appropriate Re ie$ output for reasonableness "erform a re ie$ of the logic% parameters or other characteristics of the /!!Ts Re ie$ the organisationAs general IS controls $hich may contribute to the integrity of the /!!Ts 1e#g#% program change controls and access to system% program% and,or data files2

6.$.2 Generalised !udit Soft&are &.".2.1 When using generalised audit soft$are to access the production data% the IS auditor should take appropriate steps to protect the integrity of the organisationAs data# With embedded audit soft$are% the IS auditor should be in ol ed in system design and the techni*ues $ill ha e to be de eloped and maintained $ithin the organisationAs application programs,systems# 6.$.$ tilit* Soft&are &.".".1 When using utility soft$are% the IS auditor should confirm that no unplanned inter entions ha e taken place during processing and that the utility soft$are has been obtained from the appropriate system library# The IS auditor should also take appropriate steps to protect the integrity of the organisationAs system and files since these utilities can easily damage the system and its files# 6.$.( Test Data &.".#.1 When using test data% the IS auditor should be a$are that test data only point out the potential for erroneous processing+ this techni*ue does not e aluate

actual production data# The IS auditor also should be a$are that test data analysis can be e(tremely comple( and time consuming% depending on the number of transactions processed% the number of programs tested% and the comple(ity of the programs,system# Before using test data the IS auditor should erify that the test data $ill not permanently affect the li e system# 6.$.) !##lication Soft&are Tracing and -a##ing &.".$.1 When using application soft$are tracing and mapping% the IS auditor should confirm that the source code being e aluated generated the ob)ect program currently being used in production# The IS auditor should be a$are that application soft$are tracing and mapping only points out the potential for erroneous processing+ it does not e aluate actual production data# 6.$.6 !udit +.#ert S*ste%s &.".&.1 When using audit e(pert systems% the IS auditor should be thoroughly kno$ledgeable of the operations of the system to confirm that the decision paths follo$ed are appropriate to the gi en audit en ironment,situation# &.#. CAATs *ocumentation 6.(.1 /ork#a#ers &.#.1.1 The step'by'step /!!Ts process should be sufficiently documented to pro ide ade*uate audit e idence# &.#.1.2 Specifically% the audit $orkpapers should contain sufficient documentation to describe the /!!Ts application% including the details set out in the follo$ing sections# 6.(.2 "lanning &.#.2.1 -ocumentation should include.

/!!Ts ob)ecti es /!!Ts to be used /ontrols to be e(ercised Staffing and timing

6.(.$ +.ecution &.#.".1 -ocumentation should include.

/!!Ts preparation and testing procedures and controls -etails of the tests performed by the /!!Ts

-etails of inputs 1e#g#% data used% file layouts2% processing 1e#g#% /!!Ts high'le el flo$charts% logic2 and outputs 1e#g#% log files% reports2 8isting of rele ant parameters or source code

6.(.( !udit +,idence &.#.#.1 -ocumentation should include.

4utput produced -escription of the audit analysis $ork performed on the output !udit findings !udit conclusions !udit recommendations

&.$. 0eporting 6.).1 Descri#tion of C!!Ts &.$.1.1 The ob)ecti es% scope and methodology section of the report should contain a clear description of the /!!Ts used# This description should not be o erly detailed% but it should pro ide a good o er ie$ for the reader# &.$.1.2 The description of the /!!Ts used should also be included in the body of the report% $here the specific finding relating to the use of the /!!Ts is discussed# &.$.1." If the description of the /!!Ts used is applicable to se eral findings% or is too detailed% it should be discussed briefly in the ob)ecti es% scope and methodology section of the report and the reader referred to an appendi( $ith a more detailed description#