Conducting the Audit in a Layered Fashion

The auditor should conduct the audit according to the scope of the plan. This includes auditing the systems included in the plan within the specified time frame. Categorizing the audit into recognizable chunks by domains helps keep the audit focused with minimal reference to other systems. Although the scope may be defined to a specific domain, the auditor needs to recognize the various system inputs, processes, and outputs. This ensures that other domains are covered as needed.

A layered audit approach across the domains of the IT infrastructure will be necessary when systems span the domains. This is especially evident in audits of a particular process. An external audit over financial reporting controls is a perfect example. A company’s financial system can span multiple domains and even include third-party providers such as payroll service providers. This means the auditor has to verify the controls considering the process and the infrastructure that the process uses.

Two types of testing are available to an auditor: specifically, a test of design and test of operating effectiveness.

The testing of design is used to determine whether the controls operated as designed would achieve the risk reduction goal. At this point, the audit does not determine if the control is deployed. The question is, “If the control was deployed, would it reduce the risk appropriately and achieve the control objective?” The auditor can test design through interviews, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.

The testing of operating effectiveness is used to determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. This test ensures the control is fully deployed and is achieving the control objectives.

These should be viewed as two separate audit tests. First the auditor tests the design and then tests for operational effectiveness. In the case where a control fails design, then the auditor should not test for operating effectiveness. In other words, if the design of the control is flawed, then regardless of if it's deployed or not, the control will not achieve its goal and reduce risk.