Beruflich Dokumente
Kultur Dokumente
Submitted By
ANUSUYA CHAKRABORTY
M.TECH (ISCF)
1730910003
Audit Policy:
Planning is an important step in the auditing process. Administrators should be selective in
determining the objects to audit. Auditing creates system overhead, therefore auditing too many
objects will cause the security log to become large and difficult to manage.
Before audit records are logged, an auditing policy must be established. The policy defines the
types of events that will be audited for a specific user or group of users.
• Review and evaluate the audit procedures and results of the Corporation’s independent
auditor and audit manager.
• Review, evaluate and approve any non-audit services the independent auditor may
perform for the Corporation and disclose such approved non-auditor services in periodic
reports to stockholders.
• Maintain free and open means of communication between the board of directors, the
independent auditor, the audit manager, and the management of the Corporation.
• Maintain free and open means of communication between employees and the audit
committee for the processing of complaints received by the Corporation regarding
questionable accounting or auditing matters, including suspicions of fraudulent activity.
• At least annually, review and update this charter for consideration by the board of
directors and perform an evaluation of the audit committee performance and function.
Audit Procedures:
Audit procedures are specific tasks (audit tests) performed by the auditor to gather evidence to
determine if specific audit objectives are being met. IS Auditing Standard 060 (Performance of
Audit Work) states, “During the course of the audit, the IT auditor should obtain sufficient,
reliable, and relevant evidence to achieve the audit objectives. The audit findings and
conclusions are to be supported by appropriate analysis and interpretation of this evidence.”An
auditor must design, select, evaluate, and document sample evidence in order to meet the
requirements of “sufficient, reliable, and relevant evidence” and “supported by appropriate
analysis”.
Audit Sampling
Audit sampling is the application of an audit procedure to less than 100% of the population to
enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of
forming a conclusion concerning the population. When designing the size and structure of an
audit sample, the IT auditor should consider the audit objectives determined when planning the
audit, the nature of the population, and the sampling and selection methods.
The selection of the sample size is affected by the level of sampling risk that the IT auditor is
willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the
conclusion that would be reached if the entire population were subjected to the same audit
procedure. The two types of sampling risk are:
1. The Risk of Incorrect Acceptance – the risk that a material misstatement is assessed as unlikely,
when in fact the population is materially misstated.
2. The Risk of Incorrect Rejection – the risk that a material misstatement is assessed as likely, when
in fact the population is not materially misstated.
Once the sample items have been selected to be tested, the auditor can begin audit tests using
Computer Assisted Auditing Technique.
• The effect of not being able to apply a planned procedure to a sample item.
• A projection of the sample results to the population being tested, then comparing those results
with the planned amounts.
• Appropriate consideration to the assessed level of sampling risk must be performed.
• SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as
the nature and cause of the misstatement and the possible relationship of the misstatements to
other phases of the audit.
The auditor must document in their work papers the sampling objectives and the sampling
process used. The work papers should include the source of the population, the sampling method
used, sampling parameters, items selected, details of audit tests performed, and conclusions
reached.
Evidence
Through the use of CAATs, the auditor will be able to obtain evidence to support their final
conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and
useful in order for the auditor to form an opinion and to support their findings and conclusions. If
the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then
obtain additional audit evidence. Procedures used to gather audit evidence varies depending on
the information system being audited. The auditor should select the most appropriate procedure
for the audit objective. The following procedures should be considered:
The audit evidence gathered by the auditor should be documented and organized to support the
auditor’s findings and conclusions. Finally, when an auditor believes that sufficient audit
evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the
audit report.
Audit Standards:
All the AICPA committee, charged with the responsibility of reviewing auditing standards as a
result of EFCA’s collapse, stated that “generally accepted auditing standards are adequate and no
changes are called for in the procedures commonly used by auditors.”
However, the Sarbanes–Oxley Act will have a dramatic effect on public accounting. Section
404—Management Assessment of Internal Controls of the Act states that the companies that are
affected will be required to
• State the responsibility of the management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
• Prepare an assessment at the end of the issuer’s fiscal year of the effectiveness of the
internal control structure and procedures of the issuer for financial reporting
All these requirements will have a major impact on the internal and IT auditors, as they most
probably have to complete this work as well as evaluate, assess, and report on internal controls
for management’s report required by Sarbanes–Oxley.
AICPA has thus responded to these audit failures and financial frauds in Enron, WorldCom,
Adelphia, etc., by changing the previously issued SAS 82. SAS 99—“Consideration of Fraud in
a Financial Statement Audit” deals with brainstorming the risk of fraud and increasing
professional views that it could happen here; use of unpredictable audit tests; and responding to
management override controls by requiring on every audit certain procedures to detect
management override
Audit Guideline:
The Audit Guideline is the comprehensive ‘rule book’ for audits conducted under GGAS and
covers:
Auditors should ensure they are familiar with the Audit Guideline and that all audits are
conducted in accordance with the requirements it outlines.