Information Technology Audit Process - Planning The Audit

Planning The Audit

IS Standard 050 (Planning) states, “The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.”

One of the first tasks an auditor must do when planning the audit is to develop a working budget. The IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to perform the audit, the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes.

While planning the audit, the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization.

Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test management’s assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.