Updated: Jan 3
Auditing means that competent independent institutions or personnel accept commission or authorization to objectively collect and evaluate the measurable information evidence of characteristic economic entities. Auditors need to determine the degree of conformity of this information with the standards and report to stakeholders.
Meeting the needs of stakeholders means that the existence of an enterprise is to create value for its stakeholders by maintaining a balance between achieving benefits, optimizing risks, and using resources. The core work of the audit is to collect and evaluate evidence. After collecting the evidence, auditors need to analyze the compliance between the status quo and relevant laws, find out the difference and then report them to people who entrusted them with the audit work.
The audit process requires the IS auditor to collect evidence, evaluate the strengths and weaknesses of the control through audit tests based on the collected evidence. Then auditors should provide management team members with an audit report that objectively describes these issues.
General IT audits include two types: ITGC (General) general control design and ITAC (application) application control audit.
2. Audit procedures
The audit procedure is an audit strategy, which describes the scope, objectives, and steps of the audit. By using these steps, sufficient and reliable evidence can be obtained to draw and support audit conclusions and opinions.
The general procedure for performing an audit usually includes the following basic steps.
• Obtain and record knowledge of the audit area or the audit object. First of all, we should have a full understanding of the audit scope (auditee) and what we audit (audit scope). The following factors should also be considered- what are the inherent risks, what are the key controls, what are its organizational processes, transaction links, and business processes
• Detailed audit plan
• Preliminary inspection of audit areas or audit objects
• Assess and verify that the control design meets the appropriate degree of control objectives
• Compliance test (the implementation of test control and its operational reliability)
• Substantive test (confirm the accuracy of information)
• Report (communication results)
• Tracking activities of the internal audit function.
Compliance testing: Collecting evidence to test the organization’s compliance with control procedures. It is a test method to verify whether the control exists and whether the control is effective.
Substantive testing: Collecting evidence to evaluate the integrity of transactions, data, and other information. The integrity of actual processing is used to verify the validity and integrity of transactions related to data transactions in financial statements. Verify whether the control is implemented and the deviation of actual implementation to determine whether the risk is high.
The auditor should determine the scope of the substantive test based on the results of the compliance test. Generally speaking, the compliance test shows that the internal control has high reliability and the substantive test range is small. On the contrary, the substantive test range is large.
3. Methods of testing and evaluation
IT auditors must understand the procedures for testing and evaluating information system controls, including：
• Use general audit software to investigate the content of data files (including system logs).
• Use special software to evaluate the content of the system database and an application parameter file (or check the insufficiency of system parameter setting).
• Use flow charts to document automated applications and business processes.
• Use the audit log or audit report built into the operating system or referral program.
• Document review.
4. Audit Risks
The risk of audit refers to the risk that there is no significant error in the audit process.
• Inherent risk: It usually refers to inevitable control measures or systems. According to the audit process/entity risk level, the business system and the OA system have high-risk levels and low-risk impacts. We may temporarily abandon the OA system audit and accept it as an inherent risk. And there are no relevant internal control Circumstances, major errors, or risks of exposure.
• Control risk: There is an internal control system, but it can’t be prevented or detected by the internal control system in a timely manner. Generally, it is failure control, which needs to be strengthened. Using automation methods (such as big data analysis, data verification program, virus scanning program) can be reduced.
• Detection risk: Major errors or false positives that have occurred but failed to be detected due to improper procedures adopted by the IS auditor. Related to sampling risk. Auditors need to pay attention to these and work hard to reduce such risks.
• Overall audit risk: a combination of various audit risks assessed on individual control objectives.
Determining materiality is a professional judgment of auditors, including the overall consideration of the impact of errors, negligence, violations, and illegal behaviors on the organization caused by control deficiencies in the audited field. When IT auditors use risk-based audit methods to evaluate internal control, they should pay attention to the assessment of the significance of the issues.