Page 124 - CITP Review
P. 124

office of management and budget pilot project. All deficiencies should be communicated in writing; if no
            deficiencies exist, the auditor should not make communications in writing, because it could easily lead to
            a misinterpretation.

            Testing of IT controls

            IT-related assurance services and IT reviews follow a similar process in performing the associated audit
            program. The techniques and procedures include planning for

              tests of controls (ToC) for both application controls and ITGC,
              gathering sufficient evidence related to program objectives,
              sampling considerations (if applicable), and
              using IT tools and techniques to gain efficiencies or effectiveness.
            The final point has become a beneficial option because of the expansion of computerized applications and
            business processes and digital data, and the increased ease of using the tools. Computer-assisted audit
            tools (CAATs) have become a valuable asset in audits, assurance services, and IT reviews for a variety of
            program objectives. Exhibit 3-11 shows an example of the overall process using a financial audit as the
            illustration.

            The first phase of this process is the planning of the audit or review. The second phase generally follows the
            RBA, although it depends on the type of audit or review being conducted. After the CITP gains a thorough
            understanding of the target systems, technologies, and data, the CITP would usually perform a risk
            assessment related to the audit or review objectives.

            From the information gained during the understanding step and the risk assessment step, the CITP would
            design the appropriate tests and procedures of the audit or review. Those procedures would be directly
            linked to the risk; that is, the greater the risk, the more powerful the procedure and the more persuasive the
            evidence needs to be. The second phase concludes with the execution of those tests and procedures.

            Analyzing the evidence gathered from the tests and procedures, the CITP would use professional judgment
            to determine whether the audit or review objectives had been satisfactorily met. If not, the IT auditor would
            return to the first phase of planning and iterate the first two phases.

            When the objective have been met, the CITP proceeds to phase three, which is to complete the evaluation of
            audit or review findings; compile evidence to support decisions or conclusions; and conclude with some kind
            of report on the results of the audit or review. The concluding report or a separate report generally includes
            some recommendations.


















            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-40
   119   120   121   122   123   124   125   126   127   128   129