Welcome » IT Booklets » Audit » Internal Audit Program
Management should develop and follow a formal internal audit program consisting of policies and procedures that govern the internal audit function, including IT audit.
An institution's internal audit program consists of the policies and procedures that govern its internal audit functions, including risk-based auditing programs and outsourced internal audit work, if applicable. While smaller institutions' audit programs may not require the formality of those found in larger, more complex institutions, all audit programs should include
All institutions are encouraged to implement risk-based IT audit procedures based on a formal risk assessment methodology to determine the appropriate frequency and extent of work. See the "Risk Assessment and Risk-Based Auditing" section of this booklet for more detail.
IT audit procedures will vary depending upon the philosophy and technical expertise of the audit department and the sophistication of the data center and end-user systems. However, to achieve effective coverage, the audit program and expertise of the staff must be consistent with the complexity of data processing activities reviewed. The audit procedures may include manual testing processes or computer-assisted audit programs (discussed later in this section).
The audit department should establish standards for audit work papers, related communications, and retention policies. Auditors should ensure that work papers are well organized, clearly written, and address all areas in the scope of the audit. They should contain sufficient evidence of the tasks performed and support the conclusions reached. Formal procedures should exist to ensure that management and the audit committee receive summarized audit findings that effectively communicate the results of the audit. Full audit reports should be available for review by the audit committee. Policies should establish appropriate work paper retention periods. Institutions should consider conducting their internal audit activities in accordance with professional standards, such as the Standards for the Professional Practice of Internal Auditing issued by the Institute for Internal Auditors (IIA), and those issued by the Standards Board of the Information Systems Audit and Control Association (ISACA). These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality assurance reviews.
IT auditors frequently use computer-assisted audit techniques (CAATs) to improve audit coverage by reducing the cost of testing and sampling procedures that otherwise would be performed manually. CAATs include many types of tools and techniques, such as generalized audit software, utility software, test data, application software tracing and mapping, and audit expert systems. CAATs may be:
Whatever the source, audit software programs should remain under the strict control of the audit department. For this reason, all documentation, test material, source listings, source and object program modules, and all changes to such programs, should be strictly controlled. In installations using advanced software library control systems, audit object programs may be catalogued with password protection. This is acceptable if the auditors retain control over the documentation and the appropriate job control instructions necessary to retrieve and execute the object program from the libraries where it is stored. If internal control procedures within the computer system do not allow for strict audit control, audit programs should not be catalogued. Computer programs intended for audit use should be documented carefully to define their purpose and to ensure their continued usefulness and reliability.
CAATs may be used in performing various audit procedures, including the following:
These tools and techniques can also be used effectively to check data integrity by testing the logical processing of data "through" the system, rather than by relying only on validations of input and output controls.