IT Audit Report: Risk Assessment, Methodologies, and Business Impact

Verified

Added on 2021/02/20

AI Summary

This report provides a comprehensive analysis of an IT audit, examining various aspects such as risk assessment, methodologies, and the impact of IT-related controls on business operations. It begins with an introduction that highlights the importance of IT audits in ensuring data security and business asset protection. The report then delves into the risks involved in planning and conducting IT audits, including inherent, detection, and control risks. It describes different audit methodologies like substantive, system-based, transaction cycle, balance sheet, risk-based, and directional approaches. The report also identifies common irregularities found in audit reports and discusses the impact of IT controls on business operations, including change management, source code protection, software development life cycle, and access management. Finally, the report addresses the professional, legal, and ethical responsibilities of IT auditors. The report is based on Western Australian Auditor General's Report and aims to identify key discrepancies in the audit process.

REPORT

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

TABLE OF CONTENTS
INTRODUCTION...........................................................................................................................1
Risk relate to planning and conducting IT audit and control activities...........................................1
Describe audit methodology............................................................................................................2
Irregularities that can be noticed in audit report..........................................................................3
Impact of IT related controls on business operation ...................................................................4
Professional, legal and ethical responsibility of IT auditor.........................................................5
CONCLUSION................................................................................................................................6
REFERENCES................................................................................................................................7

INTRODUCTION
Information technology audit is a process which main focus is on making examination of
all the business processes, operations and policies pertaining to infrastructure of company's
information technology as used therein. With the help of such audit, assurance can be made
related to dispensing of crucial information to end users. Also, it helps in ensuring ability of
company in protecting its business assets used in conducting information audit. The present
report is based on Western Australian Auditor General's Report which its main focus on
identifying key discrepancies made while conducting audit process. It will define about different
auditing methodologies along with identification of key risk factors. Furthermore, explanation
about professional, legal and ethical responsibility of auditor will be made. At last, description
about IT audit control with its impact on business operations will be done.
Risk relate to planning and conducting IT audit and control activities
IT audit refers to examine the internal and external functioning of company and check the
documents by the auditor to ensure that presented data and information are accurate and reliable.
The auditor also provides suggestions to improve the performance of the company (Yang and
et.al., 2018). There are various risk involved in planning and conducting IT audit such as
Inherent risk, detection risk and control risk.
 Inherent risk refers to omission of financial data or information while conducting the
audit due to the uncontrollable factor. In IT audit inherent is most occurred because of the
huge data set and the requirement of the high degree of judgement in regard to estimate
the methods for planing and conducting audit.
 Detection risk refers to the chance when auditor is not able to analyse the material
misstatements which is existed in financial statements of the company. In other word it
arises on the failure of auditor while noticing the misstatements.
 Control risk refers to the risk which are involved in planning process of auditing. It is
high when system is unable to update its report and functioning or the financial
information are not up to date.
Control risk are mainly arisen in planning stage of IT auditing (Cohen, Krishnamoorthy and
Wright, 2017). In planning stage auditor also has to deal with various risk such as accepting
wrong approach or method for conducting audit, presume wrong assumption regarding the
company etc. The wrong method in conducting audit decreases the reliability of audit result and
1

present wrong image of company in the market. Auditor also has to risk of presenting wrong
information and statements of company. Sometimes managers present wrong reports to the
auditor regarding the application, information etc. to the auditor to interpret good image of
company, so they can get higher market share. The misstatements of material create wrong
perception about the IT company which increases the malpractices of company in market like
stolen data, leaking the information of user etc. in the market.
Describe audit methodology
Many time two terms are interchange which are audit process and audit methodology. Audit
process refers to the stages through which audit pass. On other hand, auditor have to gather
sufficient evidence to form specific conclusion. Here, audit methodology comes in existence
which help auditor in accumulating sufficient evidence about firm accounting practices. Some of
the audit methodology or approaches are explained below. Substantive approach: This approach is used by an auditor to ensure that no material
misstatements are made by the firm in respect to the books of accounts or financial
statements at the workplace (Ball, Tyler and Wells, 2015). Number of tasks are
performed under substantive approach. In this approach transactions classes are tested
and varied information are gathered in respect to account balances and disclosures. It can
be noted that in the annual report disclosures are given about most of transactions and
way in which final value computed is given in the annual report. In this approach journal
entries are checked and adjustments are analysed that were taken in to account while
preparing financial statements. Thus, it can be said that substantive approach analyses
operations at basic level. System based approach: In this approach auditor make an attempt to understand internal
control system of the business firm. Auditor try to understand firm internal control
system to maximum possible extent (Yoon, Hoogduin and Zhang., 2015). After
development of understanding auditor perform test and validate those internal controls.
This is done to ensure that internal control is working in systematic way which lead to
development of accurate financial statements in the business. In case internal control will
not be strong then in that case chances of malpractices or manipulation of facts is easy
and corruption can happen. Thus, it can be said that there is huge significance of system-
based approach for auditor.
2

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 Transaction cycle approach: Under this approach manager identify ways in which varied
transactions are recorded in the company books of accounts. There are wide variety of
cycles in the business-like sales, purchase, payroll and financial cycles etc (Krauß,
Pronobis and Zülch, 2015). Auditor makes a small transaction and identify ways in which
all these transactions are recorded. By doing so it is identified whether transactions are
recorded in proper manner or there are some loopholes in transaction recording process.
This approach is commonly used by the auditors because it is simple and more
informative in nature. Balance sheet audit approach: It is the approach under which auditor assumed that if
balance sheet is perfect then in that case income statement will also be correct. Auditor
identify items where value is high and carry out audit on them (Duellman, Hurwitz and
Sun, 2015). If everything is identified perfect in balance sheet then in that case it can be
assumed that everything is perfect in the income statement. This approach is commonly
used by the auditors in their day to day practices. It can be said that it is the approach that
assist a lot to the auditors in carrying out audit related operations in the business. Risk based approach: It is the shortest and most accurate way of auditing. In this
approach auditor identify client business, its environment and internal control etc. By
understanding all these things' auditor identify area where work need to be done (Li and
et.al., 2018). Auditor identifies potential risk areas and areas where figures can be
manipulated. Thus, by following narrow approach work is done on specific area to
perform audit.
 Directional approach: In this approach debit and credit concept is taken in to account.
Directional approach is based on double entry accounting system. If any amount is
debited then it will also be credit in other account. Thus, if in trial balance debit side is
correct then in that case credit side will also be correct. Thus, auditor confirm debit side
of transactions and credit side automatically get checked. It can be said that with one
stone two birds are killed.
Irregularities that can be noticed in audit report.
Company is having control weaknesses in its applications. The problems that were faced
by company are concerned with policies, procedures and the security of information. The
irregularities were also found in controls of application functions.
3

Companies are required to get their operation audited by IT auditors so that they can give
the assessment regarding the effectiveness of objectives and goals of organisation. It is document
which represents the findings of the information audit report. The report should provide for all
the governance systems related to business needs. The issues that are faced by company are to
be reported in the audit report of information system companies. The audit report should
represent the compliance procedures are being followed by company or not it should also
provide for all the risk that are faced by companies. There are different reporting and compliance
framework laid down by authorities which are to be followed by companies. Different auditing
standards are laid by statute for auditing and reporting of procedures (AlKalbani, Deng and Kam,
2016).
In current audit report the irregularities found in audit report are that it is not giving the
specific controlling problems. It is not giving the impacts of not complying with standards set
down. It is also required to give optimization strategies which are to be followed by company.
The recommendations given can be elaborated to an extent so that they can understand the
importance. The report is not reporting the IT related risks that are faced by company. The most
specifically report is not giving adequate analysis about the control system.
Impact of IT related controls on business operation
Controls are laid down statutes such as COBIT and COSO which are the internal control
framework. The controls are laid down for IT companies. Controls relating to environment are
laid for designing the the shape of corporate culture of company. Control procedures for change
management that are designed for ensuring that business requirements are met by changes and
the changes are authorized (Davidoss, Wormald and Hinton-Bayre, 2018).
Change management is form of approaches for preparation, supporting and helping teams
, individuals and organisations to make organisational change. Most common drivers for change
are including technological, process review and the evolution. These are general controls which
are helping organisations to know and bring new technologies that will help in evaluating
processes used by company for its operations.
Control procedures for source code are designed for helping organisations for protecting
integrity of the program codes. The procedures are important as they are having significant
impact over business operations. Integrity of program code is essential as functioning of program
4

may be stopped if they are not understood properly. The control will protect the program codes
to be leaked (Ferguson, Pinnuck and Skinner, 2016).
Controls of software development life cycle for ensuring the effective management of IT
project within company. The controls are necessary as if it is not able to identify the processes
followed by company it will affect the further processes that are followed by company. If
processes are not checked adequately it will affect the further operations also of the business.
Controls related to standards, policies and processes are important for managing the
access that are based on needs of business. If there are not controls the protocols and tools that
are used for authentication, authorization, identification and accountability in computer systems.
If they are not properly maintained the security of systems and whole operations can be
significantly impacted.
Procedures and policies related to incident are important as they inform company about
processing errors. It is important for company to adopt these controls so that they do not occur
in future as they can significantly affect the working of company. If any one process is affected
it will affect the whole business operations.
Problem management controls give the company information about the processes that
will affect the life cycle management of company operations. The tool is used for preventing the
problems that are affecting the business operations. The tool identifies the exact problem
occurring in the operation of business.
The reporting frameworks are important and are to be followed by company so that it is
possible for the viewers to identify the exact scenarios followed by company. The reporting
frameworks are important and are to be followed by the auditors (Raju and et.al., 2015).
Professional, legal and ethical responsibility of IT auditor
It is the professional responsibility of auditor to ensue that all the control system that are
to be followed by company adequately. Leader of audit teams are responsible for recognizing the
good work and to provide effective improvement strategies for company. It is responsible for
demonstrating the examples that are good and are effective for improvising the business
operation of company. It is the ethical responsibility of company that every issue which is faced
by company should be reported properly in the annual reports prepared by auditors. It is the
ethical responsibility of auditor that every aspect affecting the business operation should be
reported by annual reports of company (Wilkin and et.al., 2016).
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CONCLUSION
From the above study it can be concluded that IT companies are required to follow
different compliance procedures in operating their business. They are required to follow
reporting frameworks which are laid down by the statutes. The frameworks that are to be
followed by IT companies are COBIT and COSO. The strategies help auditors to improvise their
auditing procedures which will enhance the efficiency of auditors. The auditors have to follow
their ethical responsibility of responding to the issues that are faced by companies in its IT
related operations in businesses.
6

REFERENCES
Books and Journals
AlKalbani, A., Deng, H. and Kam, B., 2016. Investigating the role of socio-organizational
factors in the information security compliance in organizations. arXiv preprint
arXiv:1606.00875.
Ball, F., Tyler, J. and Wells, P., 2015. Is audit quality impacted by auditor
relationships?. Journal of Contemporary Accounting & Economics. 11(2). pp.166-181.
Cohen, J., Krishnamoorthy, G. and Wright, A., 2017. Enterprise Risk Management and the
Financial Reporting Process: The Experiences of Audit Committee Members, CFO s, and
External Auditors. Contemporary Accounting Research, 34(2). pp.1178-1209.
Davidoss, N.H., Wormald, R. and Hinton-Bayre, A., 2018. An 11-year tertiary level audit of
surgical pathology of the parotid in Western Australia. Australian Journal of
Otolaryngology, 1.
Duellman, S., Hurwitz, H. and Sun, Y., 2015. Managerial overconfidence and audit fees. Journal
of Contemporary Accounting & Economics. 11(2). pp.148-165.
Ferguson, C., Pinnuck, M. and Skinner, D., 2016. The evolution of audit market structure and the
emergence of the Big 4: Evidence from Australia. Chicago Booth Research Paper, (14-
13).
Krauß, P., Pronobis, P. and Zülch, H., 2015. Abnormal audit fees and audit quality: initial
evidence from the German audit market. Journal of Business Economics. 85(1). pp.45-84.
Li, H. and et.al., 2018. Understanding usage and value of audit analytics for internal auditors: An
organizational approach. International Journal of Accounting Information Systems. 28.
pp.59-76.
Raju and et.al., 2015. The Australian and New Zealand Audit of Surgical Mortality—Birth,
Deaths, and Carriage. Annals of surgery, 261(2), pp.304-308.
Wilkin, and et.al., 2016. Exploring differences between smaller and large organizations'
corporate governance of information technology. International Journal of Accounting
Information Systems, 22, pp.6-25.
Yang, R., and et.al., 2018. Corporate risk disclosure and audit fee: a text mining
approach. European Accounting Review, 27(3). pp.583-594.
7