ASSIGNMENT:

Understanding Policy, Standards, Procedure

and Guidelines with respect to ISA

Submitted By

ANUSUYA CHAKRABORTY
M.TECH (ISCF)
1730910003
Audit Policy:
Planning is an important step in the auditing process. Administrators should be selective in
determining the objects to audit. Auditing creates system overhead, therefore auditing too many
objects will cause the security log to become large and difficult to manage.

Before audit records are logged, an auditing policy must be established. The policy defines the
types of events that will be audited for a specific user or group of users.

• Serve as an independent and objective party to monitor the Corporation’s financial

reporting process and internal control system.

• Review and evaluate the audit procedures and results of the Corporation’s independent
auditor and audit manager.

• Approve, engage and terminate the independent auditor.

• Review and evaluate the independent auditor’s qualifications, performance and

independence.

• Review, evaluate and approve any non-audit services the independent auditor may
perform for the Corporation and disclose such approved non-auditor services in periodic
reports to stockholders.

• Maintain free and open means of communication between the board of directors, the
independent auditor, the audit manager, and the management of the Corporation.

• Maintain free and open means of communication between employees and the audit
committee for the processing of complaints received by the Corporation regarding
questionable accounting or auditing matters, including suspicions of fraudulent activity.

• At least annually, review and update this charter for consideration by the board of
directors and perform an evaluation of the audit committee performance and function.
Audit Procedures:
Audit procedures are specific tasks (audit tests) performed by the auditor to gather evidence to
determine if specific audit objectives are being met. IS Auditing Standard 060 (Performance of
Audit Work) states, “During the course of the audit, the IT auditor should obtain sufficient,
reliable, and relevant evidence to achieve the audit objectives. The audit findings and
conclusions are to be supported by appropriate analysis and interpretation of this evidence.”An
auditor must design, select, evaluate, and document sample evidence in order to meet the
requirements of “sufficient, reliable, and relevant evidence” and “supported by appropriate
analysis”.

Audit Sampling
Audit sampling is the application of an audit procedure to less than 100% of the population to
enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of
forming a conclusion concerning the population. When designing the size and structure of an
audit sample, the IT auditor should consider the audit objectives determined when planning the
audit, the nature of the population, and the sampling and selection methods.

Selecting the Sample

The auditor should select the sample items in such a way that they are representative of the
population. The most commonly used sampling selection methods are:

• Statistical Sampling Methods

o Random Sampling – ensures that all combinations of sampling units in the population
have an equal chance of selection.
o Systematic Sampling – involves selecting sampling units using a fixed interval between
selections with the first interval having a random start.
• Non-Statistical Sampling Methods
o Haphazard Sampling – the auditor selects the sample without following a structured
technique.
o Judgmental Sampling – the auditor places a bias on the sample. For example, selecting
only sampling units over a certain value.

The selection of the sample size is affected by the level of sampling risk that the IT auditor is
willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the
conclusion that would be reached if the entire population were subjected to the same audit
procedure. The two types of sampling risk are:

1. The Risk of Incorrect Acceptance – the risk that a material misstatement is assessed as unlikely,
when in fact the population is materially misstated.
2. The Risk of Incorrect Rejection – the risk that a material misstatement is assessed as likely, when
in fact the population is not materially misstated.
Once the sample items have been selected to be tested, the auditor can begin audit tests using
Computer Assisted Auditing Technique.

Evaluation and Documentation of Samples

The performance and evaluation of a sample must address the following issues:

• The effect of not being able to apply a planned procedure to a sample item.
• A projection of the sample results to the population being tested, then comparing those results
with the planned amounts.
• Appropriate consideration to the assessed level of sampling risk must be performed.
• SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as
the nature and cause of the misstatement and the possible relationship of the misstatements to
other phases of the audit.

The auditor must document in their work papers the sampling objectives and the sampling
process used. The work papers should include the source of the population, the sampling method
used, sampling parameters, items selected, details of audit tests performed, and conclusions
reached.

Evidence
Through the use of CAATs, the auditor will be able to obtain evidence to support their final
conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and
useful in order for the auditor to form an opinion and to support their findings and conclusions. If
the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then
obtain additional audit evidence. Procedures used to gather audit evidence varies depending on
the information system being audited. The auditor should select the most appropriate procedure
for the audit objective. The following procedures should be considered:

• Inquiry and/or Observation

• Inspection
• Reperformance
• Monitoring

The audit evidence gathered by the auditor should be documented and organized to support the
auditor’s findings and conclusions. Finally, when an auditor believes that sufficient audit
evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the
audit report.
Audit Standards:
All the AICPA committee, charged with the responsibility of reviewing auditing standards as a
result of EFCA’s collapse, stated that “generally accepted auditing standards are adequate and no
changes are called for in the procedures commonly used by auditors.”

However, the Sarbanes–Oxley Act will have a dramatic effect on public accounting. Section
404—Management Assessment of Internal Controls of the Act states that the companies that are
affected will be required to
• State the responsibility of the management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
• Prepare an assessment at the end of the issuer’s fiscal year of the effectiveness of the
internal control structure and procedures of the issuer for financial reporting

All these requirements will have a major impact on the internal and IT auditors, as they most
probably have to complete this work as well as evaluate, assess, and report on internal controls
for management’s report required by Sarbanes–Oxley.

AICPA has thus responded to these audit failures and financial frauds in Enron, WorldCom,
Adelphia, etc., by changing the previously issued SAS 82. SAS 99—“Consideration of Fraud in
a Financial Statement Audit” deals with brainstorming the risk of fraud and increasing
professional views that it could happen here; use of unpredictable audit tests; and responding to
management override controls by requiring on every audit certain procedures to detect
management override

Audit Guideline:
The Audit Guideline is the comprehensive ‘rule book’ for audits conducted under GGAS and
covers:

• selection and appointment of auditors

• conflict of interest and impartiality requirements
• processes and procedures for the conduct of audits
• assessment of risk and materiality
• reporting guidance including correct procedures for varying levels of assurance,
qualifications and any potential negative findings
• ongoing management and enhancement of auditor performance.

Auditors should ensure they are familiar with the Audit Guideline and that all audits are
conducted in accordance with the requirements it outlines.