Page 125 - CITP Review
P. 125

23
                        Exhibit 3-11 — IT Audit process – Financial audit illustration























            Planning
            Automated controls should be tested when there is an expectation of operating effectiveness for them;
            when substantive procedures alone do not provide sufficient evidence; and when there is a lack of audit
            trail other than through IT or digital data. Controls must be tested when required by law (for example,
            SOX); when no paper audit trail exists (for example, EDI); and when substantive procedures alone do not
            provide sufficient audit evidence (for example, high volume of routine transactions).

            In addition, it is likely to be beneficial to conduct ToCs when it is a continuing client; controls are stable
            during the year; there is effective ITGC; walk-throughs have shown the design of a control is effective;
            there is good SoD; and reliance on internal audit is acceptable.
            Planning for tests of controls (ToC) for application controls is reliant upon several factors. First, the
            ToC can be conducted only if the relevant ITGCs are reliable. Second, ToC must be related to the audit
            objectives. Third, the objective is operational effectiveness, not simply the appropriate design of the
            control or the implementation of the control. That consideration involves how controls were applied
            during the period under consideration, the consistency with which they were applied, and by whom they
            were applied.

            One approach to determining the benefits of testing application controls versus manual substantive
            procedures is to look for overlaps. This overlap is the key to audit or review efficiency and effectiveness.
            This overlap scenario is when the audit objective and the control objective are virtually the same. For
            instance, if an audit objective is to gain assurance that disbursements were properly approved — and if
            there is an automated control or set of controls whose purpose is to make sure all disbursements are
            properly approved, and if the ITGC are reliable — then that audit situation should be ripe for efficiency
            gains by employing ToC over the set of approval controls. Typically, if the ToC results indicate that the


            23
              “Information Technology Considerations in Risk-Based Auditing: A Strategic Overview,” white paper, AICPA (June
            26, 2007).


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-41
   120   121   122   123   124   125   126   127   128   129   130