SUMMARY OF STUDY OBJECTIVES

An introduction to auditing IT processes. Nearly all companies use computerized systems to conduct business and account for business activities, and many businesses are overwhelmed with the volume of computerized data available for reporting and decision-making purposes. In light of this heightened volume of information and level of information processing, the audit function is as important as ever in improving the quality of information available to decision makers.

The various types of audits and auditors. The three primary types of audits include compliance audits, operational audits, and financial statement audits. Audits may be conducted by CPAs, internal auditors, IT auditors, or government auditors.

Information risk and IT-enhanced internal control. Information risk is the chance that information available to decision makers may be inaccurate. Information risk may be reduced through the use of information that has been audited. Auditors rely on both manual and computer controls to reduce information risk. Computer controls often compensate for weaknesses in manual controls.

Authoritative literature used in auditing. Audit guidance is found in generally accepted auditing standards, as well as standards issued by the Public Company Accounting Oversight Board, the Auditing Standards Board, the International Auditing and Assurance Standards Board, and the Information Systems Audit and Control Association.

Management assertions used in the auditing process and the related audit objectives. Management makes claims regarding the financial status and results of operations of the business organization, and audit objectives relate to each of these assertions. The assertions include existence, valuation, completeness, rights and obligations, and presentation and disclosure.

The phases of an IT audit. An audit engagement is typically characterized by four phases, including planning, tests of controls, substantive testing, and completion/reporting.

The use of computers in audits. Depending on the nature of a client company's computerized systems, an auditor may perform auditing around the computer, auditing through the computer, or auditing with the computer using computer assisted audit techniques.

Tests of controls. General controls and application controls can be tested during an audit to determine whether they are working as they were designed to work. This will be done only if the auditor intends to rely on the effectiveness of the client's internal controls as a means of justifying a reduced extent of substantive tests in the remaining phases of the audit.

Tests of transactions and tests of balances. Substantive tests involve the accumulation of evidence in support of transactions that have occurred and the resulting account balances. The extent of substantive testing necessary in an audit depends upon the strength of the client's underlying controls.

Audit completion/reporting. The final phase of an audit involves an evaluation of the evidence accumulated from all audit tests in order to reach an overall conclusion on the fair presentation of the reported information. Thorough communication is key in this phase; the company's management issues a letter of representations, the auditors issue an audit report, and discussions are held with company directors.

Other audit considerations. Audit procedures need to be tailored to the specific characteristics of each client's business. In particular, extensive testing is generally used when auditing personal computer environments, for companies using extensive database or networking systems, and for companies where significant computer changes have been implemented. To assist in efficient completion of audit tests, sampling techniques are available whereby a subset of the population is tested.

Ethical issues related to auditing. Auditors are bound by a code of conduct adopted by the professional organizations that guide the various practices of auditing. The ethical principles that are the foundation of these code include professional responsibilities, service to the stakeholders/public interest, integrity, objectivity and independence, the exercise of due care, and the observance of professional conduct.