The objective of auditor in an audit of IT controls over financial reporting is to express an opinion on the effectiveness of the company’s internal controls over financial reporting. As a company’s internal control cannot be considered effective if there are any material weaknesses, the audit must be planned in a way to obtain appropriate evidence that is sufficient enough to obtain reasonable assurance. (Source: Auditing standard No. 5 of Public Company Accounting Oversight Board).
It is essential to follow the below audit process
1. Identifying business objectives: What is the area the business is targeted at? We …show more content…
Does the site licenses and license management system use necessary encryption methods?
5. Does support contract sales properly differentiated from site license sales?
6. Does the test environment operate separately from production environment?
7. When credit card transaction is made for download, is the credit card information stored anywhere?
8. Are duplicated invoices generated to the customers while purchase?
Processes that need to be included in risk based audit
1. Classification of risks
- Inherent Risks: Owing to the nature of the business (or)
- Control Risks: Control does not exist or does not work as intended
2. Performing compliance testing: Whether the controls exist. Attribute sampling is one of the technique that uses this method
3. Performing substantive testing: Whether the controls work as expected. Individual transactions could be tested to confirm this. Variable sampling is one of the technique that uses this method
4. Sharing report with recommendations to management
3. Explain to Hy the process of evaluating control design and operating effectiveness.
There are three types of control
1. Preventive – Points to detecting the problem before it occurs (Example: Checking transaction through a third party before making …show more content…
Selecting the control framework: Internal audit department of “Software Programs Inc.” has already adapted the COSO framework, which consists of five components
(Source: http://www.coso.org/documents/internal%20control-integrated%20framework.pdf)
- Control environment: Provides discipline and structure.
- Risk assessment process: Identifying, analyzing and prioritizing risks.
- Control activities: policies and procedures that ensures the presence of controls
- Information and communication: Procedures and records established to initiate, record, process and report transactions.
- Monitoring: Assessing effectiveness of internal controls
2. Assessing if the controls really exist: Compliance testing could be performed to verify this.
3. Assessing if the controls would achieve the objective it is intended to: Substantive testing could be performed to verify this
4. Analyzing the environment for the use of controls: The controls that work in one environment might not be suitable in another environment. Example- a control to mitigate risks due to a virus breakdown in Mac system might not behave the same way in Linux system
4. Identify the processes you believe should be included in the evaluation of control design and operating