GINFORM plans the Information Technology audit by involving two major steps.  The first step is to gather information and do some planning – the second step is to gain an understanding of the existing internal control structure.  More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor make the decision as to whether perform compliance testing or substantive testing.  In a risk-based approach, we are relying on internal and operational controls as well as the knowledge of the company or the business.  This type of risk assessment decision can help to relate the cost-benefit analysis of the control to the known risk.  In the “Gathering Information” step, GINFORM needs to identify five items:

  • Knowledge of business and industry
  • Prior year’s audit results ( if applicable )
  • Recent financial information
  • Regulatory statutes
  • Inherent risk assessment

In the step “Gain an Understanding of the Existing Internal Control Structure”, GINFORM needs to identify five other areas/items:

  • Control environment
  • Control procedures
  • Detection risk assessment
  • Control risk assessment
  • Equate total risk

Objectives of an IT audit

Most often, IT audit objectives concentrate on substantiation that the internal controls exist and are functioning as expected to minimize business risk. These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity, and availability of information systems and data.

IT audit strategies

There are two areas, the first is whether we should do a compliance or a substantive testing and the second is “How do we go about getting the evidence to allow us to audit the application and make report to management ? ”
The second area, “How do we go about getting the evidence to allow us to audit the application and make report to management?”, should come as no surprise.
GINFORM need to:

  • Review IT organizational structure
  • Review IT policies and procedures
  • Review IT standards
  • Review IT documentation
  • Review the organization’s BIA
  • Interview the appropriate personnel
  • Observe the processes and employee performance
  • Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.