Preliminary Review

In this step, the auditor should obtain and review summary-level information and evaluate it in relation to the
audit objectives. The purpose of the preliminary review phase of an audit engagement is to gather information as a
basis for formulating an audit plan, which is the end product of this phase. During preliminary review, the auditor
will gather general information on the processes and systems under review. The auditor conducts this preliminary
review at a general level, without examining details of individual applications and the processes involved.

General Data Gathering

The auditor begins the examination process by becoming acquainted, generally, with the company, its line of
business, and its financial systems. Typically, an external auditor would tour the client company’s plant and
observe general business operations that bear upon customer service as well as on strictly financial functions.

Given this familiarity, the next level of general data gathering would include the accumulation or preparation
of organization charts, particularly those for the accounting and IT functions. These audit requirements are no
different from those for manual systems.

Should adequate organization charts be unavailable, the auditor must develop them. Once drawn, the charts
should be reviewed with the client to secure an agreement that they represent the actual organization structure.
This verification would be done through interviews and discussions with key executives in the accounting and IT
areas. In addition, during these interviews, the auditor would secure copies of the company’s chart of accounts
and an accounting standards manual, if available.

For systems in which the client company uses computers to process financially significant data, the auditor
would also gather a number of other specific items of evidential matter, including

 An overall narrative or an overview flowchart of the major applications subsystems and their
interrelationship, including inputs and outputs
 Descriptions of the make and model of equipment units in the client’s computer installation
 Programming languages, data processing standards, and procedures manuals used in the computer
system
 Data control procedures
 Assurance that an uninterruptible power supply is in place or that an alternate power source is available
 Procedures and provisions for backup, recovery, and restart of operations in the event of equipment
failure or accidental destruction of data
 Data and source statement library procedures
 Procedures for job setup and operations within the data center
 The installation’s documentation standards manual or such documentation standards as exist
 Descriptions of physical security control transactions

Methods applied in gathering these data are chiefly interviews and reviews of documentation. Physical
inspection techniques are used both to gather data and to validate existing documents or representations made
during the interviews. For example, a single visit to the computer gathering and validation opportunities for
determining equipment configurations, library procedures, operating procedures, physical security controls, and
data control procedures.

Many of these procedures are substantially the same regardless of whether the accounting system is
computerized or not. Differences associated with the audit of computerized systems center around changes in
controls, documentation, audit techniques, and technical qualifications required by audit staff members.

Fact Gathering
Fact gathering is composed of all activities that help the auditor understand the audit subject. Such audit activities
include a review of computer information systems and human interface practices, procedures, documents,
narratives, flowcharts, and record layouts. Fact gathering requires observing, interviewing, flowcharting, and
documenting each activity. If the auditor is using an electronic document management support system, how well
this support toll is used to capture facts gathered should be determined.

Preliminary Evaluation of Internal Controls

In this step, the auditor determines which controls are essential to the overall audit objectives. This includes
building a detailed understanding of the area being audited. To complete the understanding, the auditor interview
key personnel to determine policies and practices, and prepares supplemental audit information as required.

Design Audit Procedures

In this step, the auditor must prepare an audit program for the area being audited, select the verification
techniques applicable to each area, and prepare the instructions for their performance.

An audit program is a formal plan for reviewing and testing each significant audit subject area disclosed during fact
gathering. The auditor should select subject areas for testing that have a significant impact on the control of the
application, activity, or installation and those that are within the scope defined by the audit objectives. IT audit
areas are very specific to the type of audit. Following are some examples of the types of audits conducted in IT.
More detailed information on how to audit IT processes, applications, and operations are discussed in Chapters 8
through 22.

Types of IT Audits

For IT controls, COBIT is a good starting point as it lists the key controls, objectives, and risks. This information then
has to be customized to the particular organization objectives, processes, and technology.

Reviewing Information System Policies, Procedures, and Standards

Today, the auditor, especially the new breed of IT auditors, has the level of knowledge, skills, and abilities to do a
quality job and provide a quality assessment. But how can the IT manager better utilize the IT auditor to assist in
providing objective, value-added contributions to their work. Techniques such as risk assessment, participation in
corporate audit planning, developing IT audit skill and capability, and holding auditors to their standards of
practice are ways of accomplishing this goal.

The techniques mentioned previously could work if supported by top management and IT management. The
support of top management is essential. It is precisely the managerial initiatives that provide the opportunity for
reducing threats of carelessness, corruption, and incompetence. It is equally essential to gain the support of all
members of the organization and design security systems so that they are as unobtrusive in the workplace as
possible. These managerial initiatives reduce risk can be combined with the more traditional defensive strategies
and tactics of IS security to provide the best (most cost effective) approach to protecting corporate information
assets.

IT Audit Support of Financial Audits

Once the auditor has gained a general familiarity with the client’s accounting procedures, specific areas of audit
interest must be identified. The auditor must decide what applications or subsystems will have to be examined at a
more detailed level. As a basis for preparation of the audit plan, the auditor must also determine, in general, how
much time will be required; what types of people and skills will be needed to conduct the examination; and,
roughly, what the schedule will be.

This requirement applies even if the client is not using a computer. Of computers are being used for financially
significant applications, the auditor must determine their sophistication and extent of use. This preliminary study
goes just deep enough for the auditor to evaluate the complexity and sophistication of the systems and determine
the procedures to be followed in evaluating internal control. During the preliminary review phase, it is not
necessary to go in to detailed analysis, such as flowcharting of applications, be they manual or computerized.

Findings are formal statements that identify and describe inaccurate, inefficient, or inadequately controlled audit
subjects. For example, an auditor found that changes made to an application were implemented without
authorization. The auditor then discovered that the organization’s procedures manual did not include instructions
to seek management permission before making changes to applications.

Identifying Financial Application Areas

The identification of financial application areas is often referred to as areas of interest. This can be accomplished
with the auditor gaining familiarity with the organization’s accounting procedures and processes. Through the
preliminary review of these applications and subsystems, the auditor will decide which applications need to be
reviewed in detail. These audit steps contribute to the audit plan. As mentioned earlier, the audit plan provides the
auditor with more in-depth information on how to accomplish the audit tasks and the time and resources needed.

The process of identifying financial application areas applies to all computer and non computer applications that
are part of financial process. With computerized applications, the importance of determining the financially
significant applications has to be derived through preliminary analysis. The assessment of the sophistication of the
application, its complexity, and extent of use are factors that come into play in deciding whether to select it and
how one might evaluate it. The preliminary study/review phase is a critical step in the audit process that examines
an organization’s financial systems and provides the auditor with a basis for selecting audit areas for more detailed
analysis and evaluation whether they are manual or computerized.

Auditing Financial Applications

Auditors involved in reviewing information systems should focus their concerns on the system’s control aspects.
They must look at the total systems environment – not just the computerized segment. This requires their
involvement from the time a transaction is initiated until it is posted to the organization’s general ledger.
Specifically, auditors must ensure that provisions are made for

 An adequate audit trail so that transactions can be traced forward and backward through the system
 The documentation and existence of controls over the accounting for all data(e.g., transactions) entered
into the system and controls to ensure the integrity of those transactions throughout the computerized
segment of the system
 Handling exceptions to, and rejections from, the computer system
 Unit and integrated testing, with controls in place to determine whether the systems perform as stated
 Controls over charges to the computer system to determine whether the proper authorization has been
given and documented
 Authorization procedures for system overrides and documentation of those processes
 Determining whether organization and government policies and procedures are adhered to in system
implementation
 Training user personnel in the operation of the system
 Developing detailed evaluation criteria so that it is possible to determine whether the implemented
system has met predetermined specifications
 Adequate controls between interconnected computer systems
 Adequate security procedures for the operation of the system and assurance of business continuity
 Ensuring technology provided by different vendors (i.e., operational platforms) is compatible and
controlled
 Adequately designed and controlled databases to ensure that common definitions of data are used
throughout the organization, redundancy is eliminated or controlled, and data existing in multiple
databases is updated concurrently
This list affirms that the auditor is primarily concerned with adequate controls to safeguard the organization’s
assets and that the Sarbanes-Oxley Act of 2002 will ensure that quality and independence are maintained in this
review process.

Management of IT and Enterprise Architecture

IT management must develop an organizational structure and procedures to ensure a controlled and efficient
environment for information processing. This plan should also specify that computers and peripheral equipment
required to support all functions in an economic and timely manner. With enterprise systems being very critical to
medium-size and large business today, the need to monitor and validate operational integrity of an enterprise
resource planning system (ERPS) is an important process. IT audit plays an important role in maintaining and
monitoring the enterprise architecture.

Computerized Systems and Applications

The audit should verify that systems and applications are appropriate to the user’s needs, efficient, and adequately
controlled to ensure valid, reliable, timely, and secure input, processing, and output at current and projected levels
of system activity.

Information Processing Facilities

The information processing facility must be controlled to ensure timely, accurate, and efficient processing of
applications under normal and potentially disruptive conditions.

System Development

An IT audit should ensure that systems under development meet the objectives of the organization, satisfy user
requirements, and provide efficient, accurate, and cost-effective systems and applications. The audit should also
ensure that these systems are written, tested, and installed in accordance with generally accepted standards for
systems development.

Client/Server, Telecommunications, Intranets, and Extranets

May companies are decentralizing their traditional mainframe information processing facilities into LANs, wide are
network (WANs), value-added networks (VANs), virtual private networks (VPNs), and client/server and
Internet/intranet/extranet systems. In a client/server environment, all applications that can be dedicated to a user
are put on the client. All resources that need to be shared are put on the server. Auditors must ensure that
controls are in place on the client (computer-receiving services) as well as the server (computer-providing services)
and on the network (i.e., the supporting WANs and VANs) connecting clients and servers. In an
Internet/intranet/extranet environment as in the client/server environment with emphasis on two key intranet
protocols: Transmission Control Protocol/Internet Protocol (TCP/IP) and Hypertext Transfer Protocol (HTTP).

Fieldwork and Implementing Audit Methodology

There are seven basic steps that can assist an auditor in the review of a computer-based system. These steps are
valid regardless of computer environment, audit area, or system complexity. For each audit, the steps must be
understood clearly, planned, and coordinated with the organizational objectives set for the audit function.

1. Define objectives. The auditor defines the general objectives to verify those processes and controls
necessary to make the area being audited free from significant exposures to risk. This objective also
encompasses validating adherence of the systems under examination to appropriate standards; for
example, financial accounting should conform to GAAP.
2. Build a basic understanding of the area being audited. The auditor obtains and reviews summary-level
information and evaluates it in relation to the audit objectives.
 3. Build a detailed understanding of the area being audited. The auditor interviews key personnel to determine
policies and practices, and prepares supplemental audit information as required to complete the
understanding.
4. Evaluate controls, strengths, and weakness. The auditor determines which controls are essential to the overall
audit objectives.
5. Design the audit procedures. The auditor prepares an audit program for the area being audited, selects the
verification techniques applicable to each area, and prepares the instructions for their performance.
6. Test the critical controls, processes and apparent exposures. The auditor performs the necessary testing by using
documentary evidence, corroborating interviews, and personal observation.
7. Evaluate the results. In the final step, the auditor evaluates the results of the work and prepares a report on
the findings.

These are seven basic steps that constitute the computer auditor’s review.

Test Controls

Test the critical controls, processes, and apparent exposures. The auditor performs the necessary testing by using
documentary evidence, corroborating interviews, and personal observation.

Validation of the information obtained is prescribed by the auditor’s work program. Again, this work program is
the organized, written, and preplanned approach to the study of the IT department. It calls for validation in several
ways as follows:

 Asking different personnel the same question and comparing the answers
 Asking the same question in different ways at different times
 Comparing checklist answers to work papers, programs, documentation, test, or other verifiable results
 Comparing checklist answers to observations and actual results
 Conducting mini-studies of critical phases of the operation

Such an intensive program allows an auditor to become informed about the operation in a short time.

Final Evaluation of Internal Controls

The auditor performs the necessary testing by using documentary evidence, corroborating interviews, and
personal observation.

Validation of Work Performed

Documentary evidence may consist of a variety of forms of documentations on the system under review. Examples
could include notes from meeting on subject system, programmer notes, systems documentations, user manuals,
and change control documentation from any system or operation changes since inception, and a copy of the
contract if third parties involved. Many of these examples of documentary evidence after review may require the
auditor to ask questions of the user, developer and managers, and help the auditor establish the appropriate test
criteria to be used. It also helps in identifying the critical systems and processes to be tested.

Corroborating interviews and personal observations are also part of the testing controls process as the
documentary evidence must be validated. For example, in interviewing a programmer for the system under
review, the programmer states that the system has undergone recent changes not reflected in the current
documentation. It is very important to identify what those changes were if those areas of the application or system
were to be selected for control testing.

If we were examining a disaster recovery exercise, we could use personal observations of such an event to
determine whether personnel followed appropriate procedures and processes, through personal observations,
one can observe and assess if personnel is following its operating procedure and plans, and is adequately prepared
for the disaster simulated.

The quality of the auditor’s fieldwork, audit methodology used, and testing of controls will rest with the validation
techniques used, applied, and discussed in the next section.

Substantive Testing

Where controls are determined not to be effective, substantive testing may be required to determine whether
there is a material issue with the resulting financial information. In an IT audit, substantive testing is used to
determine the accuracy of information being generated by a process or application. Audit tests are designed and
conducted to verify the functional accuracy, efficiency, and control of the audit subject. During the audit of an IS
application, for example, the auditor would build and process test data to verify the processing steps of an
application.

Auditing through the computer involves some additional steps in addition to those mentioned previously.
Programs are run on the computer to test and authenticate application programs that are run in normal
processing. Usually, the audit team will select one of the many GAS packages such as SAS, SPSS, qzCAATT,
TopCAATs, or CA-Easytrieve(T) and determine what changes are necessary to run the software at the installation.
The auditor will use this software to do sampling, data extraction, exception reporting, summarize and foot totals,
and other tasks. Also, the auditor via microcomputer or client/server support can use packages such as Microsoft
Access or Excel, IDEA, or ACL to perform in-depth analysis and reporting capability.