CONTENTS

1. Introduction on IS Audit
1.1. Introduction
1.2. Audit Objectives
2. Audit in Computerized Environment
2.1. Understanding o Computerized Environment
2.2. Accounting Inormation S!stems in Computerized Environment
2.". Impact o IT on Economics o Auditing
2.#. Concept o Securit!
2.$. IS %anagement
2.&. Avai'abi'it! o Inormation S!stems
2.(. Access Contro'
2.). *atabase %anagement
2.+. App'ication Contro's and t,eir -unctioning
2.1.. Eva'uation o /usiness 0is1s
2.11. Conversion Audit
". Audit Organization and %anagement
".1. Organization Strateg!
".1.1. 2iring T,e 0ig,t 3eop'e
".1.2. Improving Audit 3rocesses
3.1.3. -ocusing on Co''aboration
".2. IS Audit as 0evie4 o %anagement
#. 0is1 /ased Audit -rame4or1
#.1. Introduction to t,e 0is1 based Audit -rame4or1 50/A-6
#.1.1. 7,at is an 0/A-
#.1.2. 7,! do 4e need 0/A-8
#.1.". *eve'opment and Imp'ementation o t,e 0/A-
#.1.#. 3'anning and 3reparing an 0/A-
#.2. Components o an 0/A-
#.2.1. Introduction
#.2.2. 0o'es 0esponsibi'ities and 0e'ations,ips
#.2.". 3rogram 3roi'e
#.2.#. 0is1 Assessment and %anagement Summar!
#.2.$. 3rogram %onitoring and 0ecipient Auditing
#.2.&. Interna' Auditing
#.2.(. 0eporting Strategies
#.". 0/A-9 0%A- Integration
$. Audit Standards
$.1. Code o 3roessiona' Et,ics
$.2. IS Auditing Standards
$.". IS Auditing :uide'ines
&. Use o Computer Assisted Audit Tec,ni;ues 5CAAT6
&.1. /ac1ground
&.2. 3'anning
&.". 3erormance o Audit 7or1
&.#. CAATs *ocumentation
&.$. 0eporting
1. Introduction on IS Audit
1.1 Introduction
The Working Group on Information Systems Security for the Banking and Financial
Sector constituted by Resere Bank of India enumerated that each Bank in the country
should conduct Information Systems !udit "olicy of the Bank# !ccordingly Information
Systems !udit and Security cell prepare Information Systems !udit "olicy# The
fundamental principle is that risk and controls are continuously ealuated by the o$ners%
$here necessary% $ith the assistant of IS !udit function#
The business operations in the Banking and Financial sector hae been increasingly
dependent on the computeri&ed information systems oer the years# It has no$ become
impossible to separate information Technology from the business of the banks# There is
a need for focused attention of the issues of the corporate goernance of the information
systems in computeri&ed enironment and the security controls to safeguard information
and information systems# The deelopments in Information Technology hae a
tremendous impact on auditing# Well'planned and structured audit is essential for risk
management and monitoring and control Information systems in any organi&ation#
1.2 Audit Objectives
!uditing is a systematic and independent e(amination of information systems
enironment to ascertain $hether the ob)ecties% set out to be achieed% hae been met
or not# !uditing is also described as a continuous search for compliance# The ob)ectie
of the IS audit are to identify risks that an organi&ation is e(posed to in the computeri&ed
enironment# IS audit ealuates the ade*uacy of the security controls and informs the
management $ith suitable conclusions and recommendations# IS audit is an
independent subset of the normal audit e(ercise# Information systems audit is an
ongoing process of ealuating controls+ suggest security measures for the purpose of
safeguarding assets,resources% maintaining data integrity% improe system effectieness
and system efficiency for the purpose of attaining organi&ation goals# Well'planned and
structured audit is essential for risk management and monitoring and control of
information systems in any organi&ation#
1.2.1 Saeguarding IS assets
The Information systems assets of the organi&ation must be protected by a system of
internal controls# It includes protection of hard$are% soft$are% facilities% people% data%
technology% system documentation and supplies# This is because hard$are can be
damaged maliciously% soft$are and data files may be stolen% deleted or altered and
supplies of negotiable forms can be used for unauthori&ed purposes# The IS auditor $ill
be re*uire to reie$ the physical security oer the facilities% the security oer the
systems soft$are and the ade*uacy of the internal controls# The IT facilities must be
protected against all ha&ards# The ha&ards can be accidental ha&ards or intentional
ha&ards#
1.2.2 %aintenance o *ata Integrit!
-ata integrity includes the safeguarding of the information against unauthori&ed addition%
deletion% modification or alteration# The desired features of the data are described here
under.
a# !ccuracy. -ata should be accurate# Inaccurate data may lead to $rong decisions
and thereby hindering the business deelopment process#
b# /onfidentiality. Information should not lose its confidentiality# It should be
protected from being read or copied by anyone $ho is not authori&ed to do so#
c# /ompleteness. -ata should be complete
d# Reliability. -ata should be reliable because all business decision are taken on
the basis of the current database#
e# 0fficiency. The ratio of the output to the input is kno$n as efficiency# If output is
more $ith the same or less actual input% system efficiency is achieed% or else
system is inefficient# If computeri&ation results in the degradation of efficiency%
the effort for making the process automated stands defeated# IS auditors are
responsible to e(amine ho$ efficient the application in relation to the users and
$orkload#
2. Audit in Computerized Environment
2.1. Understanding Computerized Environment
In this section $e e(plain ho$ a computeri&ed enironment changes the $ay business is
initiated% managed and controlled#
Information technology helps in the mitigation and better control of business risks% and at
the same time brings along technology risks# /omputeri&ed information systems hae
special characteristics% $hich re*uire different types of controls# Technology risks are
controlled by General IS controls and business risks are controlled using !pplication
controls# 0en though the controls are different% the ob)ecties of the audit function do
not change $hether information is maintained in the computeri&ed enironment or a
manual enironment+ the tools and techni*ues are different#
The changes in control and audit tools as $ell as techni*ues hae resulted in ne$
methods of audit# The internal controls are mapped onto the technology# These controls
and their mapping need to be understood as also methods to ealuate and test these
controls# The auditor must learn ne$ skills to $ork effectiely in a computeri&ed
enironment# These ne$ skills are categori&ed in three broad areas.
First% understanding of computer concepts and system design+
Second% understanding the functioning of !ccounting Information System 1!IS2%
an ability to identify ne$ risks and understand ho$ the internal controls are
mapped on to the computers to manage technology and business risks#
Third% kno$ledge of use of computers in audit#
!c*uisition of these skills has also opened up ne$ areas of practice for auditors like
Information System !udit% Security /onsultancy% Web !ssurance% etc#
2.2. Accounting Inormation S!stems in Computerized Environment
In this section $e bring out the fact that !ccounting Information System in the manual
and computeri&ed enironment is not the same#
In the computeri&ed enironment accounting records are kept in computer files% $hich
are of three types% namely master file% parameter file and transaction file# This
classification is not based on the types of records but on the basis of need and
fre*uency of updation and leel of security re*uired# File and record security is
implemented using the facilities proided by the operating system% database and
application soft$are#
With the increasing use of information systems% transaction'processing systems play a
ital role in supporting business operations# !nd many a times% a T"S is actually !IS#
0ery transaction processing system has three components3input% processing and
output# Since Information Technology follo$s the GIG4 principle% it is necessary that
input to the system be accurate% complete and authori&ed# This is achieed by
automating the input# ! large number of deices are no$ aailable to automate the input
process for a T"S# There are t$o types of T"S3Batch processing and 4n'line
processing# The documents% control and security implementation is different for each
system#
/4BIT 1/ontrol 4b)ecties for Information Technology2 is an internal control frame$ork
established by IS!/! for an information system# /4BIT can be applied to the
!ccounting Information System# To apply the /4BIT frame$ork an organi&ation should
-efine the information system architecture
Frame security policies
/onduct technology risk assessment
Take steps to manage technology risks like
o -esigning appropriate audit trails+ proiding systems% soft$are security+
5aing a business continuity plan+ 6anaging IS resources like data%
applications and facilities+ "eriodically assessing the ade*uacy of internal
controls and obtaining independent assurance for the information system#
Thus% $e e(plain the functioning of typical sales% purchase and pay roll accounting
system in a computeri&ed enironment# In particular% $e focus on the inputs re*uired%
application control% processing% reports generated% e(ception reports% files used and
standing data used#
To enable an auditor to understand the accounting information system so that he can
collect audit eidence% $e hae coered flo$charting techni*ues too#
2.". Impact o IT on Economics o Auditing
In this section $e hae discussed the impact of IT on the nature and economics of
auditing# With the emerging areas of practice and the auditors haing ac*uired IT skills%
the economics of auditing hae also changed# -uring the past three decades% IF!/ has
issued seeral releant standards for auditing in a computeri&ed enironment# These
standards coer areas like risk assessment in a computeri&ed enironment% stand'alone
computers% database systems% on'line information systems% etc# Some standards issued
for the manual enironment are also applicable here# !I/"! and IS!/! hae issued
standards coering arious areas in IS audit# Some of its standards like standards on
eidence% audit planning% etc# are releant for financial auditors and find a mention in this
section#
Information Technology also impacts audit documentation% reporting% $ork papers% etc#
!uditing in a computeri&ed enironment integrates the skills and kno$ledge of traditional
auditing% information systems% business and technology risks and IT impacts auditing%
audit planning% audit risk% audit tools and techni*ues% etc# Since detection of risks can
no$ be controlled using computer assisted tools and techni*ues% oerall audit risks can
be controlled and reduced#
This risk'based audit approach starts $ith the preliminary reie$# The ne(t step is risk
assessment# 7nder the audit approach% depending upon the intensity of the use of
Information Technology% audit is done either through the computers or around the
computers# 4nce the approach is decided% the ne(t step is to assess general IS controls
and application controls# 7sing /!!Ts% the controls are assessed% eidence is collected%
ealuated and reports are prepared using the information systems#
2.#. Concept o Securit!
In this section $e discuss the concept of security in detail# IS resources are ulnerable to
arious types of technology risks and are sub)ect to financial% productiity and intangible
losses# Resources like data actually represent the physical and financial assets of the
organi&ation# Security is a control structure established to maintain confidentiality%
integrity and aailability of data% application systems and other resources#
Fe$ principles need to be follo$ed for effectie implementation of information security#
These are. !ccountability% $hich means clear apportionment of duties% responsibilities
and accountability in the organi&ation+ /reation of security a$areness in the
organi&ation+ /ost'effectie implementation of information security+ Integrated efforts to
implement security+ "eriodic assessment of security needs+ and Timely implementation
of security#
Information security is implemented using a combination of General IS controls and
application controls# General IS controls include implementation of security policy%
procedures and standards% implementation of security using systems soft$are% business
continuity plan and information systems audit#
Besides% arious other types of controls are also used for implementation like. Framing
and implementing security policy+ enironmental% physical% logical and administratie
controls+ "hysical controls including locks and key% biometric controls and enironmental
controls+ 8ogical controls like access controls implemented by the operating systems%
database management systems and utility soft$are are implemented through sign'on
procedures% audit trail% etc+ !dministratie controls like separation of duties% security
policy% procedures and standards+ disaster recoery and business continuity plans+
information systems audit% etc#
2.$. IS %anagement
Information systems audit is a process to collect and ealuate eidence to determine
$hether the information systems safeguard assets% maintain data integrity% achiee
organi&ational goals effectiely and consume resources efficiently#
The common element bet$een any manual audit and IS audit is data integrity# !ll types
of audits 1information audits2 hae to ealuate the data integrity# Since IS audit inoles
efficiency and effectieness% it includes some elements of management and proprietary
audit too#
IS audit ealuates the IS management function# !ccording to /4BIT% there are fie IS
resources# "eople% application systems% technology% data and facilities# The IS
management function can be diided into four phases% like any other management
function#
6anagement 1$hich is e*uialent for planning and organi&ation2
Implementation and deployment
-irecting and controls
!udit and monitoring#
In this section% $e discuss the most important actiities and controls for each of the
resources during each phase of information systems management# We also discuss
$hat an IS auditor $ould like to reie$ during each phase for each resource#
!ll said and done% it should neer be forgotten that the heart of IS audit is the systems
audit% $hich reie$s the controls implemented on the system using systems soft$are#
Systems audit is a sub)ect of skills ac*uisition and not kno$ledge ac*uisition# Included is
a sample checklist for 79I: audit in the section#
2.&. Avai'abi'it! o Inormation S!stems <
In this section $e hae discussed the aailability of information systems# Security seres
three purposes ' confidentiality% aailability and integrity# While access controls proide
confidentiality and aailability% business continuity process and back'up procedures
proide aailability#
!ailability risk is one of the ma)or technology risks# With an increase in the coupling of
business processes $ith information systems% $hich are in turn e(posed to technology
risks% there is a dire need to hae a disaster recoery plan in place# While insurance can
proide compensation for the loss of resources% a disaster recoery plan puts arious IS
resources in place% if such disaster eer occurs# It is% therefore% a correctie control#
! business continuity plan begins $ith business impact analysis and inoles risk
eolution and loss estimates for the outage# 4n the basis of outage costs% disaster
recoery resources are put in place# 4$ing to cost,benefit consideration% disaster
recoery resources cannot be put in place for all types of disasters# These are put in
place for the likely disasters and for critical applications# The estimations made and
priorities set for the disaster recoery plans also gie financial auditors an idea about the
risks and importance of application# This can also be a factor $hile planning for audit in a
computeri&ed enironment#
2.(. Access Contro' <
!ll information systems inole t$o basic soft$are called the operating system and the
database# Both hae the ability to control access to the data and applications# The
operating system controls access at the directory and file leel% $hile the database
controls access at the record and field leel# In this section $e discuss the capabilities of
the operating systems to implement security#
!pplication controls are implemented using the access control facilities of operating
systems and database systems# Both proide an interface bet$een the application
controls and general IS controls# To ensure data integrity% it is necessary to control
access to the data% applications and other resources# !ll users must get )ust'minimum'
access $hich has t$o aspects to it.
First only authori&ed users should hae access#
Second een authori&ed users should not hae full access# The access should be need
based# For this% all operating systems hae t$o types of facilities% namely% authentication
and authori&ation# !uthentication allo$s only the authori&ed users to access the
systems# !uthori&ation% allo$s )ust'minimum'access to the files and directory# To
manage both these facilities in all operating systems there is a facility called systems
administration# The first thing the auditors should do% $hen they start $orking under the
ne$ operating system is to get to kno$ the authori&ation% authentication and system
administration functions relating to these facilities# Fortunately% all operating systems
hae more or less the same type of facilities% so the learning becomes *uicker#
2.). *atabase %anagement <
-atabase proides t$o important features3data sharing and data independence# -ata
sharing means that the users and applications share data% and data independence
means data is stored independent of applications# These features make the information
system implementation easy and% at the same time% increase the security concerns#
-atabase offers facilities like data dictionary and a database administrator to implement
the database# ! database management system also proides facilities to address the
concerns raised by data sharing and data independence# 0ery database proides
facilities to implement sign'on procedures 1user identification and authentication2 and
authori&ation mechanisms# To maintain data integrity% the )ust'minimum'access rule
should be follo$ed# The database facilities are used to create the audit train and to
implement application controls# The data files need to be backed'up regularly#
The IT !ct has prescribed that all record retention rules are also applicable to electronic
records# The Resere Bank of India has also prescribed record retention rules for the
banks and the IF!/ has issued standards for database systems used in accounting
information system# 4racle is the most'commonly used R-B6S in India and $orld oer%
proiding facilities to implement access controls through sign'on procedures and
authori&ation# !uthori&ation is implemented through ob)ect o$nership% granting of
priileges% and creation of roles and assignment of roles to the users#
2.+. App'ication Contro's and t,eir -unctioning<
In this section% $e hae e(plained arious types of application controls and their
functioning# Business faces t$o types of operational risks3business risks and
technology risks# Technology risks are controlled and mitigated by general IS controls
and business risks by application controls# 5o$eer% it is difficult to dra$ a diiding line
bet$een the t$o since application controls are implemented on the facilities proided by
general IS controls#
The primary purpose of application controls is data integrity# This is achieed by
ensuring integrity of input% processing and output# !pplication control primarily deals $ith
the audit ob)ects# The ob)ectie of any audit is to erify the assertion made in the
financial statements# !ssessing the applications controls can assess all seen types of
assertions% made in a financial statement# /4BIT has dealt $ith application controls at
length in all the phases of information systems management#
!pplication controls can be diided into.
;alidation of input+ !uthori&ation of input+ /ompleteness of input+ !ccuracy of input
Integrity of stored data+ Integrity of standing data+ /ompleteness and accuracy of
standing data+ /ompleteness and accuracy of processing+ Restricted access to assets
and data+ /onfidentiality and integrity of output#
!pplication controls being program procedures% there effectieness can be tested either
by continuous audit or by a substantie audit using general audit soft$are# In the ne(t
section% $e e(plain ho$ general audit soft$are can be used for assessing application
controls#
2.1.. Eva'uation o /usiness 0is1s <
The )ob of a financial auditor is to ealuate business risks# Business risks are controlled
and managed by implementing application controls# Therefore% the primary duty of a
financial auditor is to ealuate application controls to reduce the control risk to the
minimum# /omputers follo$ the garbage'in'garbage'out principle# It is% therefore% better
if application controls are ealuated for compliance# Since application controls are
program procedures% if they comply $ith the internal control policies of the company
once% they shall continue to comply unless changed# 5o$eer% as in the manual
enironment% compliance testing is difficult% indirect and re*uires higher cost% time and
resources# Therefore% in most of the cases% substantie testing is done# /ompliance
testing is done only for the crucial systems#
The aim of substantie testing% or% for that matter% all types of testing is to ealuate the
assertions made in the financial statement# That is% $hether the financial statement
depicts the true and fair picture# Since the auditor cannot do much to the inherent risks
and control risks% he has to plan his audit to use such tools and techni*ues% as to reduce
the detection risks# /omputer assisted tools and techni*ues help here and more so
general tool'set proiding facilities to conduct substantie testing#
!/8 is the market leader in the arena of general audit soft$are# The soft$are proides
the facilities needed by an auditor to ealuate all the seen types of assertions made in
any financial statement# In addition% it also offers the facility to create $ork papers crucial
in any audit assignment% besides proiding an option to understand the data and files#
!/8 Soft$are offers tools to understand the *uantitatie features of the data as $ell as
the *ualitatie features of the data# 6oreoer% it proides facilities to conduct substantie
testing#
To enable both% the analytical procedures and substantie testing at the transaction
leel% it has utility facilities like inde(ing% sorting% )oining% setting relation% creating output
files% e(porting files% e(tracting files% etc#
!/8 has an e(cellent feature to create the command log# This keeps a check on the
auditor% improes the audit *uality and also proes useful for $ork papers# 0ach !/8
document% by default% has a log file# In addition% it can also be used for testing the
controls implemented on the system like the security facilities of an operating system
and database# Therefore% it can also help in systems audit#
2.11. Conversion Audit <
This section e(plains conersion audit# /onersion to the computeri&ed enironment is
fast picking up in India# The process has also been accelerated by the enactment of the
Information Technology !ct% <=== and the instructions from /hief ;igilance
/ommissioner to the banking sector to computeri&e >==? of their business# -ata
conersion is a part of any soft$are pro)ect# It re*uires a lot of technical competence to
be able to coert from one database to another and from one application to another#
/onersion audit is conducted to check the accuracy of such conersion#
". Audit Organization and %anagement
".1 Organization Strateg!
/hasing best practices is not enough to ensure a highly successful audit
organi&ation# To add alue to the company and e(cel in the audit $orld% internal
auditors must be agile in anticipating change% using resources% and partnering
$ith management to address risks and improe operations#
The audit organisation or group $hich subscribes to )ust such a philosophy and
has built $hat many of its peers hae deemed a @$orld'class@ organi&ation oer
the last seeral years# The group has learned that to be successful it must
generate an appropriate internal audit infrastructure% tailor audit approaches to
each business unit $ithin the company% and create @oer'the'top@ results by
focusing on four basic elements. people% processes% electronic platforms% and
focused collaboration $ith senior management#
".1.1 2iring t,e 0ig,t 3eop'e
Internal auditing is organi&ed regionally% $ith the chief audit e(ecutie located at
the companyAs $orld head*uarters% and audit groups located around the $orld#
The group is primarily focused on processes% including operations and business
process and financial controls% throughout all areas of the companyAs businesses#
! dierse group of auditors brings seeral skill sets to audit areas that include
pro)ect management% manufacturing% supply management% and product marketing
and sales#
The internal auditors $ho $ork for the group $ere hired both for their potential
and their e(perience# Within the conte(t of this frame$ork% most of the auditors
possess adanced degrees and are% at least% bilingual#
The audit group enhances the specific professional skills of ne$ly hired
e(perienced personnel by teaching them auditing techni*ues $ithin the
multifunctional electronic'systems platform# It is far more important for technical
skills '' rather than audit skills '' to be the primary focus of this e(perienced group
of people because deals $ith a $ide range of technology products and serices#
The attributes most important for less e(perienced auditors are a keen% analytical
mind+ a consultatie outlook+ and potential for future moement into a business
unit# These characteristics should be coupled $ith a tremendous curiosity% a
desire to learn% and a $illingness to $ork hard in a fast'paced trael enironment#
4nce hired at % ine(perienced internal auditors deelop skills rapidly as they are
e(posed to a ariety of business issues in seeral different companies# Typically%
a team of t$o or three auditors $ill coer t$o or more ma)or business processes
during field$ork that lasts up to three $eeks# The auditors obtain a diersity of
e(perience coupled $ith a commonality of basic operating and control principles
that enable them to add more alue to the business each day they are there#
They are also gien $ritten performance ealuations during at least the first year
to monitor progress and identify areas for improement#
The oerall goal $ithin the group is to retain a small core of e(perienced auditors
and to rotate the balance to operating units after they hae been in the audit
group for appro(imately three years# The constant mi( and change of players
$ithin the audit organi&ation results in immense personal satisfaction% diersity of
$ork e(perience% and continual challenge#
".1.2 Improving Audit 3rocesses
4er the last seeral years% internal auditing $orld$ide has made significant
changes to its audit processes# The techni*ues used hardly seem reolutionary%
but hae proen effectie oer time# Ten years ago% the audit enironment $as
characteri&ed by.
B Basic audit processes that had $asteful steps and redundancies#
B 6inimal planning for indiidual audits#
B Field$ork that lasted too long '' four to eight $eeks '' and $as often too
detailed#
B !udit reports that took too long to issue#
B 5ard'copy $orkpapers that $ere often $eeks behind schedule and contained
too much e(traneous data#
B -is)ointed audit follo$'up#
B Cey performance metrics that $ere not tracked#
B !udit customers $ho did not receie the auditorsA full attention#
Beginning $ith the upgrading of personnel resources% the internal audit group
began to take steps to improe its processes# These steps included.
B 6apping basic audit processes and making necessary changes to be more
efficient and to add more alue#
B Reamping guidelines for internal audit operations#
B Re'engineering the audit process to reduce cycle time% measure performance%
and improe consistency#
B Introducing electronic audit platforms $ithin 8otus 9otes to gain significant
efficiencies#
B Implementing a permanent *uality process#
B Improing customer focus#
B -eeloping an audit mission and marketing brochure to help customers
understand internal auditingAs mission and the skills that the auditors bring to the
table#
6etrics played a key role in the successful upgrading of audit group processes by
measuring key processes for improement# 4ther results of introducing metrics
include.
B !udit planning has become more current and focused since auditors began
re*uiring specific information in adance from audit customers#
B Field$ork is more focused and is accomplished in t$o to three $eeks#
B ! draft audit report is no$ completed at the end of field$ork#
B Final audit reports% complete $ith management action plans% are issued less
than D= days after field$ork ends#
B "rimary audit $orkpapers are electronic% streamlined% and completed $ithin t$o
$eeks after field$ork ends+ secondary hard'copy $orkpapers are strictly limited
and accessory only#
B !udit follo$'ups include decision criteria by internal audit management to
determine $hether follo$'ups $ill be in person or by letter and tracked
electronically#
B /ustomer serice has become a primary focus and includes a *uality
*uestionnaire completed by the customer after each audit#
B ! full'time audit *uality improement process is in place to deelop ne$ and
enhanced approaches to the audit function#
The *uality improement program has been an important aspect of internal
auditingAs oerall process improement initiatie# The *uality process has paid off
in numerous improements% including streamlined audit reports and a thorough
audit follo$'up process# !dditionally% at the beginning of each year% the entire
audit group brainstorms and prioriti&es a list of internal audit pro)ects aimed at
improing audit processes# 0ach auditor selects one or more *uality improement
pro)ects for the year $ith the concurrence of the *uality coordinator and general
auditor# The auditors deelop brief pro)ect descriptions and report on pro)ect
status at *uarterly *uality meetings# These pro)ects are completed outside of the
normal audit assignments and monitored by an audit *uality coordinator
throughout the year# In the end% the pro)ects result in tangible audit process
improements for the internal audit group#
-uring the improement process% it became apparent that tying performance to
compensation helps motiate auditors to undertake and delier *uality pro)ects#
For the auditors $ho $ill be rotating to other parts of the company% an Internal
!uditor Euality Recognition "rogram% $ith achieement leels and corresponding
substantial cash a$ards% has been deeloped# !t the end of the year% a
management committee% chaired by the audit *uality coordinator% determines the
program a$ards based on predetermined criteria# !$ard $inners are then
recogni&ed at a group meeting# For the core staff that remains in the internal audit
group% the *uality improement pro)ects are a factor in determining merit
compensation#
!nother step in the oerall internal audit *uality improement process inoles
holding in'person meetings $ith arious companies e(ternal to to actiely
benchmark internal audit practices# The internal auditors share processes of
interest $ith members of other organi&ations% $ho in turn brief the internal
auditors on areas in $hich they hae a particular focus# For e(ample% the auditors
sa$ different aspects of control self'assessment from meeting $ith other outside
audit groups# From that% the internal auditors deeloped their o$n tool to fit '' a
)ointly facilitated self'assessment $ith a shared focus on operational
improements and controls $ithin factories and pro)ects#
!dditional impetus $as gien to improing processes to meet the demands of the
culture# For e(ample.
B re*uires internal staff actiities% including internal auditing% to bill for their
serices# The cycle time reductions in areas including field$ork and reporting time
$ere crucial in making the internal audit group competitie in this regard#
B Internal audit processes $ere made fle(ible and nimble to meet the challenges
associated $ith constant change due to ac*uisitions and diestitures and
business portfolio mi( and emphasis#
B The processes needed to $ork% $ith modifications% for any situation# The
internal auditors perform many nonstandard audits and special reie$s based on
management re*uests#
Robust and efficient processes are an integral part of building a $orld'class
internal audit actiity# 5o$eer% many companies stop here% simply adopting best
practices and benchmarking# The other elements '' people% electronic platforms%
and focused collaboration '' are needed to $ork in concert $ith *uality processes
to produce the synergies and ultimately the results that mark leadership in
internal auditing#
7SI9G 080/TR49I/ "8!TF4R6S
In the mid'>FF=s% decided to use 8otus 9otes as its $orld$ide standard for
group$are# Since then% internal audit has built a number of databases for audit
processes using 8otus 9otes# With this base% the internal audit group has
deeloped and used the follo$ing tools% all accessible $orld$ide.
B 080/TR49I/ W4RC"!"0RS
Incorporated into processes in late >FFG% theyAe e(panded oer the years and
are used in a different format by internal audit $orld$ide# These include separate
sections $ithin the $orkpapers for process flo$ documentation% interie$s% key
document descriptions% and een logistics information#
B B0ST "R!/TI/0S -!T!B!S0
!n important tool to cross'pollinate successful practices as auditors trael from
location to location% it represents top processes of companies as identified by
auditors#
B TI60C00"I9G
The database can be @sliced and diced@ to analy&e hours or days by )ob% audit
actiity% and auditor# It also can accumulate billing data as $ell as perform many
other functions#
B 0'6!I8
Includes electronic distribution of audit reports#
B R0F0R09/0 -!T!B!S0
8ocated $ithin the group% the Internal /ontrol -ocuments database includes past
audit reports% audit follo$'up analyses% audit report distribution lists% key
document templates% presentations% minutes of information sharing staff
meetings% and other reference information#
B !7-IT "R!/TI/0S R0F0R09/0 "R4GR!6S
/ompiled by area#
B !7-IT 6!9!G0609T !9- !7-IT "R4GR0SS -!T!B!S0S
7sed for internal administration of audits '' audit numbers% location data% team
members% status% audit follo$'up% and more '' these databases are also aailable
to company management as a status of planned and actie audits#
B 6!97F!/T7RI9G !9- S7""8H 6!9!G0609T T448 CITS
Repositories of data and techni*ues for these areas#
B I9T0R9!8 G7I-08I90S
Instructions for the operation of the audit group#
B /46"!9HWI-0 "48I/I0S !9- "R4/0-7R0S
!ccounting and reporting guidelines for all of #
B /4R"4R!T0 -!T!B!S0S
Includes electronic e(pense reporting and ne$s releases#
In addition% the auditors deeloped a kit of templates for key audit documents#
The kit includes Word and 0(cel frame$ork documents% such as audit
engagement letters% audit reports% management action plans replying to audit
reports% auditor )ob performance ealuations% and the audit *uality *uestionnaire
sent to customers follo$ing an audit#
internal audit has also made e(tensie use of the Internet# The $orld$ide Web
site has a tremendous olume of data% $hich includes eerything from
companies% products% and locations to employee benefit forms# Internal auditing
designed its corner of the Web site to market and e(plain its actiities and to
present employment opportunities#
These electronic platforms hae made a tremendous difference to auditors in
terms of accessibility and ease of use of information% cycle'time reduction% and
aailability of reference material# These efficiencies hae enabled the internal
audit group to be more productie and to better sere its customers# 0lectronic
platforms remoe barriers of time% geography% and space limitations# !rmed $ith
skilled personnel% effectie processes% and supportie electronic platforms% the
auditors are ready to better partner $ith their customers#
".1." -ocusing on Co''aboration
By listening and offering adice on business and control issues on a continuous
basis% the senior internal audit team has created an effectie net$ork $ith senior
management# The auditors add alue by proiding not only $hat clients are
seeking but also $hat they may need% een if they are not a$are of it# The
auditors strie for a $in'$in enironment by deliering a good mi( of both#
performs a $orld$ide risk assessment on $hich it bases its audit plan#
/ontinuous collaboration and one'on'one meetings enable the auditors to
analy&e risk on an on'going basis and e(pose hidden issues# These meetings% if
they set the right $in'$in tone% can be frank e(pressions of needs by both parties
to accomplish their respectie tasks# !uditors recogni&e that the highest leel of
acceptance has been reali&ed $hen customers call them for operational% control%
and other corporate goernance adice#
Generally during these meetings% a formal agenda '' beginning $ith recent key
audits and future risks '' $orks best# The auditors $ork through these issues at a
*uickened pace% but $hen a nere is hit% the auditors and management tackle it
together# The auditors use arious handouts '' such as portions of audit and risk
analysis reports '' and other documentation to keep senior management focused
on $here they are headed in the larger enironment# 6anagementAs comments
and concerns are carefully noted and integrated into the audit plan fre*uently#
The auditorsA goals are to add alue% to be timely% and% in times of trouble% to
aoid the *uestion. @Where $ere the auditorsI@ Being proactie $ith senior
management helps preent a @$itch hunt@ aimed at internal auditing $hen
something goes $rong#
The auditors further the collaboration effort by follo$ing up on past audits%
$hether it be in'person% by e'mail% or by telephone# Internal auditors can prioriti&e
ne$ and potential ac*uisitions of companies% some of $hich may be small% for
reie$#
By integrating people% audit processes% electronic platforms% and focused
collaboration $ith senior management% audit groups can become $orld'class
organi&ations# 9o one factor $ill do the task alone# The synergies of integrating
these elements produce a compelling enironment that fosters e(cellence# !ny
uccessful program must be ongoing and focused on continuous change# Seeking
$orld'lass status is a neer ending )ourney and not simply a destination along the
$ay#
".2 IS Audit as 0evie4 %anagement
The ob)ecties of an information system audit are to obtain reasonable assurance
that an organi&ation safeguards it data processing assets% maintains data integrity
and achiees system effectieness and efficiency# In conducting an audit there
are fie ma)or phases% planning the audit% test of controls% tests of transactions%
tests of balances or oerall results% and completion of the audit# This report looks
at ho$ the nature of the organi&ation and its use of generali&ed application
soft$are affect the conduct of each of the phases#
The organi&ation is a medium'si&e automotie sericing firm# The organi&ation uses a
local area net$ork consisting of three microcomputers running soft$are application
packages# The microcomputers are placed in different locations for different functions#
It runs application soft$are packages that are $ell kno$n% $ell tested% and supplied by a
reputable endor# !ll the applications are relatiely straightfor$ard#
!uditing must be properly planned to achiee the results that both auditors and the
organi&ation are looking for# In this first phase% planning the audit% the auditor needs to
obtain an understanding of the accounting and internal control systems so as to plan the
audit# The auditor should obtain an understanding of the comple(ity of the information
system and also ho$ the information system enironment influences the assessment of
inherent and control risks#
The auditor should start by conducting interie$s $ith top management and information
system personnel to gather information for the audit# The auditor must obsere actiities
being carried out $ithin the information system function% reie$ $orking papers from
prior audits and reie$ information system documentation# The auditor needs to reie$
the information collected so as to hae a good understanding of all the controls that e(ist
$ithin the organi&ation# Reie$ing the information system control procedures $ill help to
ealuate the risks to the integrity of accounting data presented in the financial reports#
The soft$are used by the organi&ation is $ell kno$n% $ell tested% and supplied by a
reputable endor# The application soft$are packages are already diided by the
functions they perform% thus simplifying comple(ity issues for the audit# Gien the fact
that the application is $ell tested by the endor% it can be implied that computer controls
are in effect and should be ery effectie# Therefore% auditor needs to concentrate on
the user controls that are in place to see ho$ they can be improed# T$o ma)or control
issues $ere raised in the case% that of modifications to the soft$are and access to the
central database# The general manager has gien the assurance that no modifications
$ere made to the soft$are% and that no staff member has computer kno$ledge needed
to carry out modifications to the soft$are# This may be true but controls must be in place
to ensure that no modifications are made $ithout proper authority# !de*uate controls
must e(ist oer the source code% ob)ect code and documentation of the package# It is
mentioned that there is controlled access to the central database# The auditor must
e(amine these controls since unauthori&ed access to databases can )eopardi&e the
integrity of data#
Some other controls that the auditor should check are systems that allo$ secure issue of
or choice of pass$ords% correct alidation of pass$ord% secure storage of pass$ord and
follo$ up on illicit use of pass$ords# There should be controls for unauthori&ed%
inaccurate% incomplete% redundant% ineffectie or inefficient inputs entered in the system#
Input program should identify incorrect data entered and the program should use special
code to correct data corrupted because of noise in a communication line# The local
area net$ork is ery small% consisting of only three microcomputers but it still needs
protection against natural threats and physical disasters thus it is necessary to protect
the local area net$ork#
If controls are in place and are $ell designed and applied the risk e(ist that the auditor
$ill fail to detect actual or potential material losses or account misstatement at the end of
the audit# !uditors must determine the audit risk# In deciding the leel of inherent risk
the auditor need to take into account that the organi&ation is a medium'si&ed firm in an
industry that is not sub)ect to rapid changes# The industry is not sub)ect to many treats
and $ould not normally be a target for abuse# In this light it can be assumed that the
inherent risk $ill be lo$# To determine the control risk the auditor should look at
management and application controls# 6anagement controls should be looked at first
since if management controls are good there should be little need to go into in'depth
application controls# If management enforces high *uality documentation standards then
it is unlikely that the auditor $ill hae to reie$ the documentation for each application#
Gien that the soft$are is $ell kno$n and $ell tested% the application controls should be
strong# Therefore the control risk should also be ery lo$ for the organi&ation#
!t this point it can be concluded that the auditor should audit around the computer# The
reasons for this are firstly the applications are relatie straightfor$ard and simple#
Second% it is more cost effectie to audit around the computer $hen a generali&e
application soft$are is being used# The application soft$are $as proided by a
reputable endor and is $ell tested% and the application has not been modified according
to the general manager# Thirdly% since the package is $ell tested a high reliance is
placed on user controls rather than computer controls# Thus there is no need to go
through testing of processing logic and control in an application that is already tested by
the endor# This $ould re*uire technical e(pertise to duplicate a task performed by a
reputable endor#
In the second phase% test of controls% the auditor should go into more detail in reie$ing
the documentation of processes and analysis of the information the auditor is interested
in# /ontrols should be analy&ed for faultiness of defect# 7ser and computer controls
should be tested# Since the application is $ell tested% testing should focus on the
reliability of user controls rather than the reliability of computer controls# Some of the
controls that should be tested during this phase are+ unauthori&ed% inaccurate%
incomplete% redundant% ineffectie or inefficient inputs entered in the program+ output
should be complete and accurate and distributed promptly to the correct recipient+
secure issue or choice of pass$ords% correct alidation of pass$ord% secure storage of
pass$ord and follo$ up on illicit use of pass$ords+ segregation of duties+ aailability of
up'to'date backups% iable of up'to'date backups% $hereabouts of backup storage units
and usable restore system+ reporting% recording and resoling incidents and operational
failures+ and continuity controls#
In the third phase% test of transactions% testing should be centered on checking to see if
material loss or account misstatement has occurred or might occur due to erroneous or
irregular processing of a transaction# The application soft$are is straight for$ard $ith
the necessary built in controls in place therefore there is no need to go through the entire
system looking for transaction errors# The auditor should take a fe$ transactions and
trace them from beginning to ending process to erify $eather transactions are handled
effectiely and efficiently#
In the fourth phase% testing of balances or oerall results% the purpose is to gather
sufficient eidence to make a final )udgment on the si&e of the losses or account
misstatements that might hae occur or might occur $hen the information system
function fail to safeguard assets% maintain data integrity% and achiee system
effectieness and efficiency# If auditors find that computer controls are $eak or
none(istent they $ill need to do more substantie testing on detailed test of transactions
and account balance#
5o$eer% in this case the endor tested all computer controls and it is safe to assume
that the controls are strong and this eliminates the need for the auditors to conduct more
substantie testing# Selling of spare parts is a one of the ma)or reenue earner for the
organi&ation# In this light this auditors should conduct a physical inentory of the spare
parts to erify that the physical count and computer application count are the same#
4ther tests that can be done are to recalculate depreciation on fi(ed assets% and
confirmation of receiables#

In the fifth phase% completion of the audit% additional test to bring the audit to a close are
generally conducted# These include reie$s for subse*uent eents and contingent
liabilities# The auditor must then formulate an opinion as to $eather material loss or
account misstatements hae occurred and issue a report# The auditor should proide
management $ith a report documenting control $eaknesses+ identify potential
conse*uences of these $eaknesses and recommendations for remedial actions# It $as
notice that no controls are in place against unauthori&ed program changes% in that case
auditors must note that $eakness% letting management kno$ that unauthori&ed changes
can destroy the functionality of the application and suggest $ays of elimination that treat#
Some recommendations the auditor can make are as follo$s+ the need to strengthen
security for the organi&ations information assets by deeloping disaster recoery plans
and business continuity plans+ reie$ing of technical staffs access to programs and
data+ track of staff actiities+ limiting the files and other resources authenticated users
can access and actions $hich they can e(ecute+ and deelopment of internal controls to
ensure against authori&ed program changes#

There is no right or $rong approach to conducting an information system audit# There
are factors that must be taken into account during the planning phase of the audit+ these
factors determine the approach the auditor takes# !s $as seen in this case% the fact that
it $as a medium'si&e% lo$ risk organi&ation using a generali&ed application soft$are that
$as not modified $ere the main factors that determined the approach that $ould be
taken by the auditor#

#. 0is1 /ased Audit -rame4or1
#.1 Introduction to t,e 0is1=/ased Audit -rame4or1<
This guide is intended to assist managers in meeting the Policy on Transfer Payments
1"T" June <===2 risk'related re*uirements that support goernment'$ide directions for
more corporate and systematic management of risk in the design and deliery of
programs# For e(ample% emphasis is placed on incorporating risk in the initial stages of
program planning by stipulating that.
KLMThe type of transfer payment that a department uses to meet its program
ob)ecties is determined by the departmental mandate% business lines% clients
and an assessment o ris1s.> The "T" also refers to the follo$ing t$o
re*uirements that are fulfilled through the deelopment of an RB!F.
KLMIt is goernment policy to manage transfer payments in a manner that is
sensitive to ris1s% comple(ity% accountability for results and economical use of
resourcesNO PSection Q#=R+
KLM-epartments must deelop a ris1=based audit rame4or1 for the audit of
contributionsNO PSection S#QR# ! primary impetus for the goernment'$ide
management'change initiatie on risk arose from obserations and
recommendations made in the 1997 Report of the Independent Panel on
Modernization of Comptrollership in the Government of Canada# The report
found that.
KLMNkey responsibilities for goerning bodies N PincludeR. understanding t,e
ris1s associated 4it, t,e t!pe? 'eve' and ;ua'it! of the serice goernment
decides to 1or not to2 proide% $hether directly or indirectly% and ensuring t,at
appropriate means are in p'ace to manage t,ese ris1sNO
KLMNareas that increasingly demand managerial e(cellence NPincludeR. matching
more creatie and client'drien decision making and business approaches $ith
so'id ris1 managementNO In this conte(t% Treasury Board of /anada
Secretariat 1TBS2 ackno$ledged the importance and benefits of systematic risk
management as a strategic inestment in the attainment of oerall business
ob)ecties and demonstration of good goernance# !s a result% increased
emphasis is being placed on $orking together% at all leels% to create
management regimes $hich are based on leadership and alues% $ell'defined
standards and control systems as $ell as so'id ris1 management#
In addition to the "T"% TBS has promoted the integration of systematic risk
management practices in other key policies and guidelines% such as.
KLthe Interated Ris! Manaement Frame"or! 1!pril <==>2 $hich establishes the
e(pectation that implementing the Frame$ork $ill Mstrengthen accountability by
demonstrating that 'eve's o ris1 are e@p'icit'! understoodO+ and
KLthe #ctive Monitorin Policy 1June <==>2 $hich stipulates that Mdepartments
must actiely monitor their management practices and controls using a ris1=
based approac,#O The sections $hich follo$ describe the underlying ob)ecties
and components of an RB!F and proide guidance in its deelopment and
preparation#
#.1.1 7,at is an 0/A-8
The RB!F is a management document that e(plains ho$ risk concepts are
integrated into the strategies and approaches used for managing programs that are
funded through transfer payments# The RB!F proides.
KLbackground and profile information on the transfer payment program including the
key inherent risk areas 1internal and e(ternal2 that the program faces+
KLan e(plicit understanding of the specific risks that may influence the achieement of
the transfer payment program ob)ecties+
KLa description of e(isting measures and proposed incremental strategies for
managing specific risks+ and
KLan e(planation of monitoring% recipient auditing% internal auditing% and reporting
practices and procedures#
4.1.2 7,! *o 7e Need an 0/A-8
Transfer payment programs operate in an enironment that inoles many
interconnections% including those that stem from global e(pectations% goernance
re*uirements% authorities and arious risk driersT# !ll these factors affect the design
and implementation of the program# Risk'Based !udit Frame$orks can cost'effectiely
and efficiently assist managers in operating in this comple( enironment by.
KLenhancing managers and employees understanding and communication of risk
and related mitigation options+
KLstrengthening accountability for achieing ob)ecties and ste$ardship oer
public funds+
KLfacilitating managers achieement of goernment'$ide re*uirements for solid
risk management+ KLproiding a basis upon $hich to create contingency plans+
KLhelping to secure funding for ne$ or rene$ed programs+ and
KLenhancing information for decision'making#
#.1." *eve'opment and Imp'ementation o t,e 0/A-8
The key parties that should be inoled in the deelopment and implementation of an
RB!F are as follo$s. KL6anagers of the program $ho hae primary responsibility for
ensuring that the RB!F reflects an accurate and comprehensie analysis of potential
risks to the achieement of ob)ecties as $ell as cost'effectie monitoring% mitigation
and reporting strategies+
KLInternal !udit and program staff $ho could proide e(pert adice and technical
support in risk identification% assessment and monitoring as $ell as take a lead role
in preparing the Internal !uditing section of the RB!F+
KL0aluation staff $ho could proide kno$ledge and e(pertise% in recognition of the
potential for oerlap bet$een R6!Fs and RB!Fs and in cases $here the R6!F and
RB!F are being integrated+ and
KLTBS "rogram and /enter of 0(cellence for Internal !udit analysts% $ho hae
assigned responsibilities and kno$ledge of program and RB!F re*uirements
respectiely% and can proide adice during their preparation# -eliery partners,co'
delierers and interested parties may also be inoled as collaborators#
#.1.# 3'anning and 3reparing an 0/A-
The leel of detail included in an RB!F document $ill ary according to the nature%
comple(ity and sensitiity of the programs# In planning and deeloping the leel of
information and effort re*uired to prepare the RB!F% consideration should be gien to
the follo$ing.
KLuncomplicated programs $ith lo$ materiality and a straightfor$ard
accountability and risk management enironment $ould re*uire a less detailed
and resource intensie RB!F+
KLhigh priority and comple( programs $ith significant materiality 1relatie to the
oerall departmental budget2 and a diersified and comple( enironment $ould
re*uire a more detailed RB!F and a larger inestment of time and effort+
KLthe breadth and comple(ity of the programs R6!F could be used as a
guidepost for RB!F deelopment+ and
KLmeaningful information should be proided in each section of the RB!F# The
ne(t sections of this document $ill guide the reader through the components of
an RB!F and the steps inoled in their deelopment#
#.2 Components o an 0/A-
The RB!F consists of the follo$ing key components.
The preparation of the RB!F inoles a systematic and analytical process# This section
of the guide takes managers and specialist adisors through the distinct steps in this
process U the product of each step being a key element of the final frame$ork#
#.2.1 Introduction
KLThe RB!F should be introduced $ith a concise e(planation of the purpose of the RB!F
in conte(t of "T" re*uirements and the demonstration of good goernance#
KL! brief description of the program background should be proided to set the oerall
conte(t# Background information $ould include eents giing rise to the program% the
nature of the contribution agreement 1i#e# payable% non'repayable2% magnitude of the
transfer payments and the timeframe of the funding authority# KLIf program management
chooses to integrate the RB!F $ith the R6!F% this section should be used to briefly
outline the points and e(tent of integration#
#.2.2 0o'es? 0esponsibi'ities and 0e'ations,ips
a6 3urpose This section should clearly delineate the respectie roles and responsibilities
of management and I! in fulfilling the "T" monitoring% auditing and RB!F re*uirements#
! summary of the recipients role and responsibilities for complying to terms and
conditions should also be proided#
b6 3rocess The "T" 1Section S#Q2 and the Guide on Grants% /ontributions and 4ther
Transfer "ayments delineate the roles and responsibilities of management and I!#
KL%anagement is responsible for ongoing financial and operational monitoring and the
audit of recipients compliance to terms and conditions and the audit of recipients# The
audit of recipients can also e(amine $hether results data is reliable#
KLInterna' AuditAs 5IA6 role is to employ risk'based methodologies in planning and
conducting audits to proide assurance on the ade*uacy of integrated risk management
practices% management control frame$orks and information used for decision'making
and reporting on the achieement of oerall ob)ecties# 6anagement is responsible for
applying and describing the risk'based approach in the selection of recipient audits# If
management is not familiar $ith a risk'based methodology% I! could be of assistance in
discharging this responsibility# >= While management has oerall responsibility for the
RB!F% I! is responsible for employing a risk'based approach in establishing $hether the
oerall transfer payment program should be sub)ect to audit# !s such% I! should
complete the Internal !uditing section PSection G#=R of the RB!F# 6anagers and I!
should consult as soon as the RB!F re*uirement had been identified# They should reach
an agreement on the collaboration needed to complete the Recipient !uditing and
Internal !uditing sections of the RB!F# To facilitate a common understanding of
compliance and ongoing monitoring re*uirements% it may also be beneficial to articulate
recipients roles and responsibilities for meeting contribution agreement terms and
conditions#
c6 3roduct ! statement of roles% responsibilities and relationships bet$een "T"
management% I! and recipients#
#.2." 3rogram 3roi'e
a6 3urpose The "rogram "rofile should proide the conte(t and the key areas of
inherent risk 1Cey Risk !reas2 that eole from the transfer payment programs
ob)ecties and enironment# 4erall% the profile assists the manager in.
KLmeeting good goernance e(pectations through a sound understanding of the
accountability and risk management enironment+ and
KLconducting a more efficient and effectie detailed identification and assessment
of risk for the Risk !ssessment and 6anagement Summary in the ne(t RB!F
component#
b6 3rocess The "rogram "rofile should be deeloped $ith reference to the
organi&ations outcomes and design information that has been compiled during recent
business planning and the deelopment of the R6!F# !s a first step in the process% the
M"erformance "rofileO and other pertinent R6!F data should be erified $ith
participating managers# /learly articulated ob)ecties and conte(t $ill proide the basis
for further internal and e(ternal enironmental analysis and identification of the Cey Risk
!reas that eole from the mandate# In this conte(t% for ongoing programs% any recent
internal audit or ealuation should be described% particularly the effect that their results
may hae had on the program# In the case of a small% uncomplicated program% the
"rofile can be deeloped by the manager alone# 5o$eer% as the comple(ity and
magnitude of the program increases% greater detail $ill be re*uired from key
kno$ledgeable stakeholders to ensure all Cey Risk !reas are identified and ade*uately
described# Cno$ledgeable stakeholders include e(perienced program staff% internal
audit and ealuation adisor1s2 and% if deemed necessary% e(ternal stakeholders# The
inolement of a risk management adisor may also be re*uired% depending on the
degree of program comple(ity#
c6 3roduct The "rofile should include.
KLthe background% underlying rationale% ob)ecties and need for the program+
KLthe target population% resources% product groups% deliery mechanisms% T"" stacking
proisions and goernance structure+ and
KLthe key internal and e(ternal areas of risk 1Cey Risk !reas2 that eole from the
legislation% mandate% program design and,or operating enironment $here there is a
potential for significant impact on performance 1i#e# anticipates% in macro terms% the $ork
to be done in the ne(t section2#
#.2.# 0is1 Identiication? Assessment and %anagement Summar!
The key risks should ideally be identified% assessed% and associated mitigation measures
either implemented or in progress% prior to the deelopment of the proposed Treasury
Board submission 1in the case of ne$ policy initiaties% prior to the 6emorandum to
/abinet2# If aailable% the departmental Integrated Risk 6anagement Frame$ork 1IR6F2
$ould be a primary source of reference or at least a starting point#
a) 3urpose The purpose of this component is to ensure an e(plicit understanding of
the leel of key risks# Through systematic risk identification% assessment and
deelopment of response or mitigation procedures% managers $ill ac*uire an
e(plicit understanding of all aspects of key risks# Furthermore% this component
proides insight into the main operational measures% including controls used to
mitigate key risks and thereby contributes data releant to the e(planation of
"rogram 6onitoring presented in Section ".$#
b) 3rocess The preparation of the Risk !ssessment and 6anagement Summary
section generally re*uires input from a team of managers and kno$ledgeable
staff $ithin the program area% supported by arious functional groups#
The team should carry out the follo$ing steps. 3reparation Steps
KL/onsider $ho should participate
KL/learly define risk
KL0stablish a time hori&on
KL/ustomi&e a risk matri(
KL/onsider other tool re*uirements
3rocess Steps
1. Understand Objectives
KL/learly articulate and understand the programs ob)ecties $ith reference to the
outcomes established in the R6!F 8ogic 6odel#
2. 0is1 Identiication
KLIdentify risk areas 1sources of risk2 related to the achieement of ob)ecties 1e#g#
eents% ha&ards% issues% lost opportunities and circumstances that could lead to an
impact on ste$ardship% deliery% outputs% outcomes% etc#2+ and
KL/onduct a preliminary intuitie analysis of the risk leel of each area 1high% medium%
lo$2 to select the risk areas that re*uire further analysis#
". 0is1 Assessment
KL!rticulate the particular concerns and e(isting mitigation measures for the risk
areas selected for detailed analysis+ and
KL!ssess the likelihood and impact of an undesirable effect% gien e(isting mitigation
measures% to arrie at a residual leel of risk#
#. 0is1 0esponse or %itigation
KL0stablish incremental response strategies to aoid% share% transfer% accept and
manage the risk#
$. Be! 0is1 Summaries
KLSummari&e the Cey Risks and related particular concerns% e(isting measures% and
Incremental Risk 6anagement Strategies#
c6 3roduct The Risk !ssessment and 6anagement Summary should include.
KL! methodology section $hich e(plains the risk definition and model+
KL! brief description of the process steps follo$ed+
KLThe identification of parties inoled in the process+
KL! Risk 6atri( to e(plain the criteria and define the leels of impact and likelihood
KL!n elaboration of the Cey Risk !reas that $ere used in the "rofile section to e(plain
the oerall risk conte(t of the program+ and
KLsummaries of the Cey Risks that $ere identified including particular concerns%
e(isting mitigation measures and incremental risk response strategies% if re*uired#
#.2.$ 3rogram %onitoring and 0ecipient Auditing
a) 3urpose The purpose of this section is to proide a description of the monitoring
and recipient auditing practices% $hich are to be undertaken by management# It
should reflect the risk identification and elaboration $ork done in the preious
section+ in particular% it should reflect the mitigation 1in this case% monitoring or
recipient auditing2 of those risks for $hich the response $as to implement
controls# This section should reflect all actiities related to monitoring of the
oerall program and the recipients compliance $ith terms and conditions through
detailed operational and financial procedures#
b) 3rocess %onitoring The description of oerall monitoring should demonstrate
that management has those risks for $hich the mitigation strategy $as controls
coered by ade*uate means and measures# Typical monitoring ob)ecties $ould
include.
KL!chieement of established outputs,outcomes+
KLRisks or impediments to the achieement of outputs,outcomes+
KL-ue diligence in determining eligibility of recipients and the e(penditures of
funds+
KLThe efficient% effectie and economical use of resources% and
KLWhether or not the program is being administered in accordance $ith
appropriate terms and conditions at all stages of the transfer payment life cycle
1i#e# selection% administration% deliery and reporting2#
The description of detailed monitoring of compliance should outline the operational
and financial procedures% including.
KLInterie$s and documentation reie$s to assess milestone achieements+
KL0(pense claim erification procedures+
KLStacking re*uirements erification procedures+ and
KLReie$s of recipient financial statements#
The e(isting and incremental mitigation measures for key risks% included in the
"rogram Risk !ssessment% Identification and 6anagement Summary section%
proide releant and current information for the preparation of the oerall monitoring
section# The Results'based 6anagement and !ccountability Frame$ork 1R6!F2
should also proide releant information $ith regard to monitoring the achieement
of outcomes#
0ecipient Auditing Recipient auditing is often the only effectie $ay to establish.
KLThat funds $ere used for intended purposes+
KL/ompliance $ith terms and conditions+ and
KLReliability of results data#
Recipient !uditing is applicable to contribution agreements due to their conditional
nature# In cases $here contribution agreements allo$ recipients to establish sub'
agreements% management may also choose to audit the third% fourth% etc# party
recipients sub'agreement actiities+ i#e# all the links of the chain through to the end
recipient 1and the original Terms and /onditions of the /ontribution !greement
should proide for this2# "articular attention should be paid to !lternatie Serice
-eliery 1!S-2 arrangements% i#e# $here another party deliers the funds to the end
recipient on behalf of the program manager% as this arrangement is inherently higher
risk than direct deliery to the recipient# Grant programs conduct strict eligibility
checks before issuing grants# 5o$eer% once grants are issued% there is no further
re*uirement to erify the recipients use of funds% i#e# recipient auditing is not
applicable in this instance# The "T" sets out the re*uirement for a Mrisk'basedO
approach for determining $hether or not an audit should be conducted and if
conducted% its ob)ecties% scope and e(tent# The risk methodology used here should
be consistent $ith that used in the preious section for program risk identification%
assessment and management# In fact% the results of the risk assessment performed
in the preious section 1particularly those risk factors haing to do $ith the recipient2
should be brought for$ard and augmented% as needed% by factors that may not hae
been identified there 1e#g# kno$ledge of the recipient kno$n by the Finance or
Internal !udit groups% but not to the program manager2 and further augmented by
Maudit riskO factors 1i#e# risk factors haing to do $ith the possibility of the auditor
dra$ing the $rong conclusion U concluding that all is $ell $hen it is not or that all is
not $ell $hen it% in fact% is2#
This section should describe the process used for deciding on and planning recipient
audits% considering the follo$ing steps.
># !udit 4b)ecties
KL0stablish the audit ob)ecties to erify compliance $ith terms and conditions and% if
re*uired% the reliability of results data#
<# Risk Identification and !ssessment /riteria
KL-eelopment of a risk'based matri( and criteria to analyse the leel of risk
associated $ith recipients of contributions#
D# Risk Factors Rating
KL/onsider each audit risk factor and assign a rating# /alculate the oerall risk rating%
as 84W% 60-I76 or 5IG5 risk#
T# !udit "lanning -ecisions
KLBased on oerall risk ratings% determine the nature% scope and timing and sampling
strategy% if any% for conducting recipient audits 1or% $here the second% third% etc# party
is acting on behalf of the program manager 1i#e# an !S- arrangement2% end party
audits2#
c) 3roduct This section includes.
KLa complete and concise e(planation of e(isting and planned monitoring actiities+
and
KLa summary of the methodology used and decisions taken on conduct of recipient
audits% including cost#
#.2.& Interna' Auditing
a6 3urpose !n internal audit of a transfer payment program can proide aluable
assistance to management by proiding assurance as to the soundness of the risk
management strategy and practices% the management control frame$ork and
practices and the information being used for decision making and reporting#
Specifically% internal audits may e(amine $hether.
KL-ue diligence is e(ercised $ith regard to the e(penditure of public funds+
KLThe program is administered in accordance $ith the terms and conditions of the
funding authority+ KLReleant legislation and policy 1e#g# Sections D<% DD and DT of the
Financial !dministration !ct and Transfer "ayment "olicy2 are being respected+
KLThe program has a risk management strategy and $hether systematic risk
management is used% $here the magnitude and comple(ity of issues $ould $arrant+
and
KLThe *uality of information is ade*uate for decision'making#
b6 3rocess The process for planning internal audits is risk'based and the
responsibility of I!# Transfer payment program management should consult $ith I!
as soon as the need for an RB!F is identified 1preferably at the 6emorandum to
/abinet stage or at least $hen the need for a submission has been identified2 in
order to make arrangements for I! input to the releant RB!F components# To
maintain consistency% the risk assessment methodology used for internal audit
decisions should be the same as the one used for program and recipient audit risk
assessment+ i#e# the results of the program risk assessment should be brought
for$ard and augmented by risk factors that the internal audit group may be a$are of%
but that the program managers $ere not 1e#g# corporate support risk factors and
Maudit riskO2# Refer to !ppendi( / for details# It is recogni&ed that the internal audit
function and related planning are ongoing and that% in the case of an ongoing
program% they may hae already considered the relatie risk of the sub)ect program
and scheduled% or not% an audit of the program for a specific time in the future or an
audit of the program may hae already been performed recently# If that is the case%
then it $ould suffice to indicate the results of the audit performed and,or the details of
future plans% including e(pected costs# 5o$eer% in the case of a ne$ program a
complete risk assessment $ould hae to be retrofitted to the e(isting internal audit
plan and the results described here% including ob)ectie% scope% timing and e(pected
costs#
c6 3roduct the products% $hich should be proided by I!% are.
KL! description of the results of any recent internal audits performed+
KL!nticipated audit ob)ecties% scope timing and e(pected cost% in cases $here the
need for an audit has been affirmed by I!+ and
KL! description of the risk'based audit planning methodology used for all
departmental programs 1including Transfer "ayment "rograms2+
KLIf it is decided that no internal auditing $ill be performed% there should be an
e(planation of that decision#
#. 2.( 0eporting Strategies
a) 3urpose The final component of the RB!F ensures that plans are in place to
systematically report 1both internally and e(ternally2 on the results of ongoing
monitoring% recipient auditing internal auditing and ealuation# 19ote% if reporting
of ealuation results is already proided for in the R6!F% it may simply be copied
here for completeness purposes2#
b) 3rocess There are many potential users of this information and the reporting
strategy should consider all of their needs 1e#g# management decision'making%
accountability and communication,information sharing2# "otential users of risk
information include program management% central agencies and internal and
e(ternal stakeholders#
c) 3roduct !t the minimum% the reporting strategy should include a description of.
KL"eriodic reports $hich are produced for monitoring purposes+
KL!greed upon recipient audit reports+
KL0aluation reports+
KLInternal audit reports that $ill be proided+
KLWho is responsible 1especially $hen multiple parties are inoled2 for producing
reports+ and KLThe mechanisms 1e#g# annual progress reports% mid'term reports%
-epartmental "erformance Reports2 and timeframes for reporting on operational
monitoring% recipient and internal audits to the lead department% TBS% TB
6inisters and,or "arliament#
#." 0/A-9 0%A- Integration
/eneits o Integrated 3erormance and 0is1 Assessment and 0eporting<

The "T" also re*uires that management deelop a Results'Based 6anagement
and !ccountability Frame$ork 1R6!F2 to proide measurement and ealuation
strategies for assessing the performance of a transfer payment program# The
RB!F and R6!F are complimentary documents that proide managers $ith the
means and measures for enhancing program monitoring and reporting# In this
regard% the RB!F and R6!F hae natural points of integration that relate to the
typical analytical and planning approaches used by managers to monitor
program operations and performance# For e(ample% it is *uite natural for program
managers to simultaneously contemplate performance and risk issues $hen
considering $hether or not program ob)ecties $ill be achieed# This integrated
thinking facilitates the deelopment of practices and procedures that fulfil the
dual function of promoting the achieement of ob)ecties and mitigating risks to
performance# The links bet$een performance and risk% including data collection
elements 1baseline data2 and control frame$orks% should be considered at the
beginning of the program lifecycle# This integrated approach $ill assist in clearly
identifying all ob)ecties% the program conte(t as $ell as potential internal and
e(ternal risks to the achieement of ob)ecties# In this regard% it is recogni&ed
that the RB!F must be Mrisk sensitieO and that the R6!F must be Mperformance
sensitieO% i#e# linking risk to the program outcomes and performance
measurement strategies#
$. IS Audit Standards
$.1 Code o 3roessiona' Et,ics
The Information Systems !udit and /ontrol !ssociation% Inc# 1IS!/!2 sets forth this
Code of Professional $thics to guide the professional and personal conduct of members
of the !ssociation and,or its certification holders#
6embers and IS!/! /ertification holders shall.
># Support the implementation of% and encourage compliance $ith% appropriate
standards% procedures and controls for information systems#
<# "erform their duties $ith due diligence and professional care% in accordance $ith
professional standards and best practices#
D# Sere in the interest of stakeholders in a la$ful and honest manner% $hile maintaining
high standards of conduct and character% and not engage in acts discreditable to the
profession#
T# 6aintain the priacy and confidentiality of information obtained in the course of their
duties unless legal authority re*uires disclosure# Such information shall not be used for
personal benefit or released to inappropriate parties#
Q# 6aintain competency in their respectie fields and agree to undertake only those
actiities% $hich they can reasonably e(pect to complete $ith professional competence#
G# Inform appropriate parties of the results of $ork performed+ reealing all significant
facts kno$n to them#
V# Support the professional education of stakeholders in enhancing their understanding
of information systems security and control#
Failure to comply $ith this Code of Professional $thics can result in an inestigation into
a members or certification holders conduct and% ultimately% in disciplinary measures#
$.2 IS Auditing Standards
The speciali&ed nature of information systems 1IS2 auditing and the skills necessary to
perform such audits re*uire standards that apply specifically to IS auditing# 4ne of the
goals of the Information Systems !udit and /ontrol !ssociation 1IS!/!2 is to adance
globally applicable standards to meet its ision# The deelopment and dissemination of
the IS !uditing Standards are a cornerstone of the IS!/! professional contribution to
the audit community# The frame$ork for the IS !uditing Standards proides multiple
leels of guidance.
Standards define mandatory re*uirements for IS auditing and reporting# They inform.
U IS auditors of the minimum leel of acceptable performance re*uired to meet the
professional responsibilities set out in the IS!/! /ode of "rofessional 0thics for IS
auditors
U 6anagement and other interested parties of the professions e(pectations
concerning the $ork of practitioners
U 5olders of the /ertified Information Systems !uditor 1/IS!2 designation of
re*uirements# Failure to comply $ith these standards may result in an inestigation
into the /IS! holderAs conduct by the IS!/! Board of -irectors or appropriate
IS!/! committee and% ultimately% in disciplinary action#
Guidelines proide guidance in applying IS !uditing Standards# The IS auditor should
consider them in determining ho$ to achiee implementation of the standards% use
professional )udgment in their application and be prepared to )ustify any departure# The
ob)ectie of the IS !uditing Guidelines is to proide further information on ho$ to comply
$ith the IS !uditing Standards#
"rocedures proide e(amples of procedures an IS auditor might follo$ in an audit
engagement# The procedure documents proide information on ho$ to meet the
standards $hen performing IS auditing $ork% but do not set re*uirements# The ob)ectie
of the IS !uditing "rocedures is to proide further information on ho$ to comply $ith the
IS !uditing Standards#
Resources should be used as a source of best practice guidance# The /4BIT
Frame"or! states% @It is managementAs responsibility to safeguard all the assets of the
enterprise# To discharge this responsibility as $ell as to achiee its e(pectations%
management must establish an ade*uate system of internal control#@
/4BIT proides a detailed set of controls and control techni*ues for the information
systems management enironment# Selection of the most releant material in /4BIT
applicable to the scope of the particular audit is based on the choice of specific /4BIT
IT processes and consideration of /4BIT information criteria#
!s defined in the /4BIT Frame"or!% each of the follo$ing is organi&ed by IT
management process# /4BIT is intended for use by business and IT management% as
$ell as IS auditors+ therefore% its usage enables the understanding of business
ob)ecties% communication of best practices and recommendations to be made around a
commonly understood and $ell'respected standard reference# /4BIT includes.
/ontrol 4b)ecties35igh'leel and detailed generic statements of
minimum good control
/ontrol "ractices3"ractical rationales and Mho$ to implementO guidance
for the control ob)ecties
!udit Guidelines3Guidance for each control area on ho$ to obtain an
understanding% ealuate each control% assess compliance and
substantiate the risk of controls not being met
6anagement Guidelines3Guidance on ho$ to assess and improe IT
process performance% using maturity models% metrics and critical success
factors# It proides a management'oriented frame$ork for continuous and
proactie control self'assessment specifically focused on.
U "erformance measurement35o$ $ell is the IT function supporting
business re*uirementsI 6anagement Guidelines can be used to support
self'assessment $orkshops% and they also can be used to support the
implementation by management of continuous monitoring and
improement procedures as part of an IT goernance scheme#
U IT control profiling3What IT processes are importantI What are the
critical success factors for controlI
U !$areness3What are the risks of not achieing the ob)ectiesI
U Benchmarking3What do others doI 5o$ can results be measured and
comparedI 6anagement Guidelines proides e(ample metrics enabling
assessment of IT performance in business terms# The key goal indicators
identify and measure outcomes of IT processes% and the key performance
indicators assess ho$ $ell the processes are performing by measuring
the enablers of the process# 6aturity models and maturity attributes
proide for capability assessments and benchmarking% helping
management to measure control capability and to identify control gaps
and strategies for improement#
$." IS Auditing :uide'ines
Selection of the most releant material in /4BIT applicable to the scope of the particular
audit is based on the choice of specific /4BIT IT processes and consideration of
/4BITs information criteria#
In the case of this specific audit area% Reie$ of Internet Banking% the processes in
/4BIT likely to be the most releant are. selected
Plan and &ranise IT processes% selected #c'(ire and Implement IT processes%
selected )eliver and S(pport% and selected Monitor
and $val(ate# Therefore% /4BIT guidance for the follo$ing processes should be
considered releant $hen performing the audit.
K "4>3-efine a Strategic IT "lan
K "4D3-etermine Technological -irection
K "4S30nsure /ompliance $ith 0(ternal Re*uirements
K "4F3!ssess Risk
K !I<3!c*uire and maintain application soft$are
K !ID3!c*uire and maintain technology infrastructure
K !IT3-eelop and maintain procedures
K !IQ3Install and accredit systems
K !IG36anage /hanges
K -S>3-efine and 6anage Serice 8eels
K -S<36anage Third'party Serices
K -SD36anage performance and capacity
K -ST30nsure /ontinuous Serice
K -SQ30nsure Systems Security
K -SS3!ssist and !dise /ustomers
K -S>=36anage "roblems and Incidents
K -S>>36anage -ata
K 6>36onitoring the "rocess
K 6<3!ssess Internal /ontrol !de*uacy
The information criteria most releant to an Internet Banking audit are.
K "rimary. confidentiality% integrity% aailability% compliance and reliability
K Secondary. effectieness and efficiency
&. Use o Computer=Assisted Audit Tec,ni;ues 5CAATs6
&.1. /ac1ground
6.1.1 Linkage to COBIT Standards
&.1.1.1 Standard =G= 1"erformance of !udit Work2 states @-uring the course of
the audit% the IS auditor should obtain sufficient% reliable and releant
eidence to achiee the audit ob)ecties# The audit findings and conclusions are
to be supported by appropriate analysis and interpretation of this eidence#@
&.1.1.2 Standard =Q= 1"lanning2 states @The IS auditor should plan the
information systems audit coerage to address the audit ob)ecties and to
comply $ith applicable la$s and professional auditing standards#@
&.1.1." Standard =D= 1"rofessional 0thics and Standards2 states @The IS auditor
should e(ercise due professional care% including obserance of applicable
professional auditing standards#@
6.1.2 Need for Guideline
&.1.2.1 /omputer !ssisted !udit Techni*ues 1/!!Ts2 are important tools for the
IS auditor in performing audits#
&.1.2.2 /!!Ts include many types of tools and techni*ues% such as generalised
audit soft$are% utility soft$are% test data% application soft$are tracing and
mapping% and audit e(pert systems#
&.1.2." /!!Ts may be used in performing arious audit procedures including.
Tests of details of transactions and balances
!nalytical reie$ procedures
/ompliance tests of IS general controls
/ompliance tests of IS application controls
"enetration testing
&.1.2.# /!!Ts may produce a large proportion of the audit eidence deeloped
on IS audits and% as a result% the IS auditor should carefully plan for and e(hibit
due professional care in the use of /!!Ts#
&.1.2.$ This Guideline proides guidance in applying IS auditing standards# The
IS auditor should consider it in determining ho$ to achiee implementation of the
aboe Standards% use professional )udgment in its application and be prepared to
)ustify any departure#
&.1.2.& This guidance should be applied in using /!!Ts regardless of $hether
the auditor concerned is an IS auditor #
&.2. 3'anning
6.2.1 Decision Factors for sing C!!Ts
&.2.1.1 When planning the audit% the IS auditor should consider an appropriate
combination of manual techni*ues and /!!Ts# In determining $hether to use
/!!Ts% the factors to be considered include.
/omputer kno$ledge% e(pertise% and e(perience of the IS auditor
!ailability of suitable /!!Ts and IS facilities
0fficiency and effectieness of using /!!Ts oer manual techni*ues
Time constraints
Integrity of the information system and IT enironment
8eel of audit risk
6.2.2 C!!Ts "lanning Ste#s
&.2.2.1 The ma)or steps to be undertaken by the IS auditor in preparing for the
application of the selected /!!Ts are.
Set the audit ob)ecties of the /!!Ts
-etermine the accessibility and aailability of the organisationAs IS
facilities% programs,system and data
-efine the procedures to be undertaken 1e#g#% statistical sampling%
recalculation% confirmation% etc#2
-efine output re*uirements
-etermine resource re*uirements% i#e#% personnel% /!!Ts% processing
enironment 1organisationAs IS facilities or audit IS facilities2
4btain access to the organisationAs IS facilities% programs,system% and
data% including file definitions
-ocument /!!Ts to be used% including ob)ecties% high'leel flo$charts%
and run instructions
6.2.$ !rrange%ents &it' t'e !uditee
&.2.".1 -ata files% such as detailed transaction files% are often only retained for a
short period of time+ therefore% the IS auditor should make arrangements for the
retention of the data coering the appropriate audit time frame#
&.2.".2 !ccess to the organisationAs IS facilities% programs,system% and data%
should be arranged for $ell in adance of the needed time period in order to
minimise the effect on the organisationAs production enironment#
&.2."." The IS auditor should assess the effect that changes to the production
programs,system may hae on the use of the /!!Ts# In doing so% the IS auditor
should consider the effect of these changes on the integrity and usefulness of the
/!!Ts% as $ell as the integrity of the programs,system and data used by the IS
auditor #
6.2.( Testing t'e C!!Ts
&.2.#.1 The IS auditor should obtain reasonable assurance of the integrity%
reliability% usefulness% and security of the /!!Ts through appropriate planning%
design% testing% processing and reie$ of documentation# This should be done
before reliance is placed upon the /!!Ts# The nature% timing and e(tent of
testing is dependent on the commercial aailability and stability of the /!!Ts#
6.2.) Securit* of Data and C!!Ts
&.2.$.1 Where /!!Ts are used to e(tract information for data analysis the IS
auditor should erify the integrity of the information system and IT enironment
from $hich the data are e(tracted#
&.2.$.2 /!!Ts can be used to e(tract sensitie program,system information and
production data that should be kept confidential# The IS auditor should safeguard
the program,system information and production data $ith an appropriate leel of
confidentiality and security# In doing so% the IS auditor should consider the leel
of confidentiality and security re*uired by the organisation o$ning the data and
any releant legislation#
&.2.$." The IS auditor should use and document the results of appropriate
procedures to proide for the ongoing integrity% reliability% usefulness% and
security of the /!!Ts# For e(ample% this should include a reie$ of program
maintenance and program change controls oer embedded audit soft$are to
determine that only authorised changes $ere made to the /!!Ts#
&.2.$.# When the /!!Ts reside in an enironment not under the control of the IS
auditor% an appropriate leel of control should be in effect to identify changes to
the /!!Ts# When the /!!Ts are changed% the IS auditor should obtain
assurance of their integrity% reliability% usefulness% and security through
appropriate planning% design% testing% processing and reie$ of documentation
before reliance is placed on the /!!Ts#
&." 3erormance o Audit 7or1
6.$.1 Gat'ering !udit +,idence
&.".1.1 The use of /!!Ts should be controlled by the IS auditor to proide
reasonable assurance that the audit ob)ecties and the detailed specifications of
the /!!Ts hae been met# The IS auditor should.
"erform a reconciliation of control totals if appropriate
Reie$ output for reasonableness
"erform a reie$ of the logic% parameters or other characteristics of the
/!!Ts
Reie$ the organisationAs general IS controls $hich may contribute to the
integrity of the /!!Ts 1e#g#% program change controls and access to
system% program% and,or data files2
6.$.2 Generalised !udit Soft&are
&.".2.1 When using generalised audit soft$are to access the production data% the
IS auditor should take appropriate steps to protect the integrity of the
organisationAs data# With embedded audit soft$are% the IS auditor should be
inoled in system design and the techni*ues $ill hae to be deeloped and
maintained $ithin the organisationAs application programs,systems#
6.$.$ tilit* Soft&are
&.".".1 When using utility soft$are% the IS auditor should confirm that no
unplanned interentions hae taken place during processing and that the utility
soft$are has been obtained from the appropriate system library# The IS auditor
should also take appropriate steps to protect the integrity of the organisationAs
system and files since these utilities can easily damage the system and its files#
6.$.( Test Data
&.".#.1 When using test data% the IS auditor should be a$are that test data only
point out the potential for erroneous processing+ this techni*ue does not ealuate
actual production data# The IS auditor also should be a$are that test data
analysis can be e(tremely comple( and time consuming% depending on the
number of transactions processed% the number of programs tested% and the
comple(ity of the programs,system# Before using test data the IS auditor should
erify that the test data $ill not permanently affect the lie system#
6.$.) !##lication Soft&are Tracing and -a##ing
&.".$.1 When using application soft$are tracing and mapping% the IS auditor
should confirm that the source code being ealuated generated the ob)ect
program currently being used in production# The IS auditor should be a$are that
application soft$are tracing and mapping only points out the potential for
erroneous processing+ it does not ealuate actual production data#
6.$.6 !udit +.#ert S*ste%s
&.".&.1 When using audit e(pert systems% the IS auditor should be thoroughly
kno$ledgeable of the operations of the system to confirm that the decision paths
follo$ed are appropriate to the gien audit enironment,situation#
&.#. CAATs *ocumentation
6.(.1 /ork#a#ers
&.#.1.1 The step'by'step /!!Ts process should be sufficiently documented to
proide ade*uate audit eidence#
&.#.1.2 Specifically% the audit $orkpapers should contain sufficient documentation
to describe the /!!Ts application% including the details set out in the follo$ing
sections#
6.(.2 "lanning
&.#.2.1 -ocumentation should include.
/!!Ts ob)ecties
/!!Ts to be used
/ontrols to be e(ercised
Staffing and timing
6.(.$ +.ecution
&.#.".1 -ocumentation should include.
/!!Ts preparation and testing procedures and controls
-etails of the tests performed by the /!!Ts
-etails of inputs 1e#g#% data used% file layouts2% processing 1e#g#% /!!Ts
high'leel flo$charts% logic2 and outputs 1e#g#% log files% reports2
8isting of releant parameters or source code
6.(.( !udit +,idence
&.#.#.1 -ocumentation should include.
4utput produced
-escription of the audit analysis $ork performed on the output
!udit findings
!udit conclusions
!udit recommendations
&.$. 0eporting
6.).1 Descri#tion of C!!Ts
&.$.1.1 The ob)ecties% scope and methodology section of the report should
contain a clear description of the /!!Ts used# This description should not be
oerly detailed% but it should proide a good oerie$ for the reader#
&.$.1.2 The description of the /!!Ts used should also be included in the body of
the report% $here the specific finding relating to the use of the /!!Ts is
discussed#
&.$.1." If the description of the /!!Ts used is applicable to seeral findings% or is
too detailed% it should be discussed briefly in the ob)ecties% scope and
methodology section of the report and the reader referred to an appendi( $ith a
more detailed description#