Page 478 - ITGC_Audit Guides
P. 478

GTAG — Continuous Auditing Implementation




            often is sufficiently persuasive using a combination of   GTAG 14: Auditing User-developed Applications for more
            indicators, such as changes to automated controls, system   information.
            security, incidents, outliers, and transactions. Discussions
            with business system owners can help auditors determine   Prepare and Validate the Data
            the transfer method, schedule, and data protocol best suited   Develop a robust data validation capability and criteria to
            for continuous auditing.                            ensure integrity, previous to analysis. One of the greatest
                                                                powers of continuous auditing is to extract data from a
            Build Audit Technical Skills and Knowledge          variety of systems across the organization and to relate
            Standard 1210 requires that internal audit collectively   it for further cross-platform analysis. Combining data
            possess or obtain the knowledge, skills, and other   from disparate systems requires data validation to remove
            competencies needed to perform its responsibilities. Varying   unreliable transactions and prepare the data in a standard
            levels of IT proficiency will be required as continuous   audit format. Automated data feeds can reduce validation
            auditing is developed and implemented. For example, in the   time and increase the frequency of analysis.
            early stages of implementation:

              •  Parameter sensitivity, depth of analysis, and other   Construct Continuous Auditing Indicators
                factors may result in a high volume of flagged   Build a road map that is integrated with the audit plan.
                transactions. The workload required to discern the   Design and construct the continuous auditing techniques
                results will decrease as controls are improved, analytics   based on learnings and specifications that resulted from
                are refined, and continuous auditing matures.   previous traditional audits.
              •  Results may be prone to errors in data interpretation.
                Inaccuracies may be due to a lack of understanding   Ongoing Risk Assessment
                and familiarity with the business systems and the   Consistent with Standard 2120, continuous auditing
                nature of the tests being performed.            enables auditors to “evaluate the effectiveness and
                                                                contribute to the improvement of the risk management
            To enhance IT proficiency:                          processes.” Key activities and considerations in performing
                                                                an ongoing risk assessment include:
              •  Review key data fields and data elements.
              •  Review metadata created by functions applied to the   •  Develop risk indicators:
                data.                                                  o The collection and analysis of data supporting key
              •  Ascertain the timeliness of the data.                business processes and high-risk areas should be
              •  Is the information current?                          gathered from multiple levels of the organization to
                                                                      identify, assess, and respond to risks.
              •  How often is the information updated?                 o Collaborate with business owners and IT
              •  When was the last update?                            professionals to develop risk indicators that are
              •  Determine whether the information is complete and    easily measurable and are sensitive to change.
                accurate.                                              o Leverage risk assessment results to potentially
              •  Verify the auditor’s assumptions and analysis with the   modify the audit plan, as well as individual audit
                application programmers.                              scope and objectives.
              •  Verify the integrity of the data by performing   •  Design analytics to measure increased levels of risk.
                various tests such as reasonability, edit checks, and     o KRIs should:
                comparison to other sources, including previous        o Focus on the extent of change experienced by
                investigations or audit reports (e.g., syntactic,      the entity over time (design KRIs to facilitate
                semantic, and pragmatic data integrity).               trending).
              •  Leverage knowledge gained from internal audit         o Be a combination of process-based leading
                engagements.                                           indicators and symptomatic lagging indicators.
            Assess Reliability of Data Sources                         o Be identified in sufficient number that when
            Data reliability is critical to successful continuous auditing   routinely compared will isolate outlier entities
            implementation and should be assessed during a baseline    that are accepting risk beyond the established risk
            audit. Data sourced from a production environment subject   tolerance level.
            to IT general controls is more reliable than data sourced
            from end-user developed applications. As reliability
            increases, the level of testing and verification necessary
            to reduce audit risk to an acceptable level decreases. See

                                                             13
   473   474   475   476   477   478   479   480   481   482   483