SBM4302 IT Audit & Controls Portfolio Assessment ✓ Solved

SBM4302 IT AUDIT & CONTROLS PORTFOLIO ASSESSMENT Demonstrate and provide examples to justify your understanding of the following conceptual phases of IT auditing over a 12 week duration

Demonstrate and provide examples to justify your understanding of the following conceptual phases of IT auditing over a 12 week duration:

Week 1-3 Ethical Requirements and Auditors’ Independence - Demonstrate an understanding of IT auditing ethical requirements using examples - Evaluate and demonstrate the importance of IT auditor independence using examples

Week 3-5 IT Audit Planning Part I Analyse and demonstrate an understanding of: - IT auditing process based using examples - Client engagement using examples - Business and Audit Risk (control risk, inherent risk, and detection risk, etc.) using examples - Risk of fraud using examples

Week 5-7 IT Audit Planning Part II - Demonstrate an understanding of analytical review/procedures and materiality using examples

IT Audit Planning Part III - Evaluate and demonstrate an understanding and application of internal controls and IT audit controls using examples

Week 7-9 Evidence Gathering Demonstrate using examples the ability and skill to gather evidence through: - Audit sampling - Tests of controls – IT - Substantive tests of detail - IT - Substantive analytical procedures - Audit strategy - Use of other auditors/experts and internal audit report

Week 9-11 Audit Reporting Demonstrate using examples the ability and skills to analyse, develop, and report: - Subsequent events - Going concern - Audit reports - Expectations gap - Legal liability - Corporate dilemmas

Week 11-12 Compilation of portfolio and submission Portfolio Presentation - The effective and creative presentation of work that demonstrates critical observation, reflection and discrimination in the correct written style Referencing - The use of a range of sources which are properly acknowledged

Sample Paper For Above instruction

Understanding the Phases of IT Auditing: A Comprehensive Approach

The field of Information Technology (IT) auditing encompasses a broad scope of activities that ensure the integrity, confidentiality, and availability of an organization's information systems. Over a 12-week period, the phases of IT auditing are systematically addressed, beginning with ethical considerations and progressing through planning, evidence gathering, and reporting. This paper elaborates on each phase with illustrative examples, emphasizing their significance in the audit process.

Weeks 1-3: Ethical Requirements and Auditors’ Independence

Ethical considerations form the foundation of effective IT auditing. Auditors are mandated to adhere to ethical principles such as integrity, objectivity, confidentiality, and professional competence (International Federation of Accountants, 2020). For example, maintaining confidentiality is critical when handling sensitive data, especially during audits of financial or personal information. Independence is equally vital; an auditor must remain free from conflicts of interest to provide unbiased assessments. For instance, an internal auditor who is part of the IT department must ensure their objectivity isn't compromised when evaluating controls.

Weeks 3-5: IT Audit Planning Part I

The planning phase involves understanding the IT environment, client engagement, and the associated risks. For example, evaluating a company's implementation of a cloud-based ERP system necessitates understanding the control environment and inherent risks such as data breaches or system failures. Business risk assessment involves identifying factors that could impact organizational objectives, like rapid technological changes or regulatory compliance issues. Similarly, audit risk, which includes control risk, inherent risk, and detection risk, guides the scope and depth of audit procedures. For instance, if inherent risk is high due to complex systems, audit procedures must be more rigorous.

Weeks 5-7: IT Audit Planning Part II

Analytical procedures and materiality assessments help auditors identify areas of concern. For example, comparing data processing volumes over periods can highlight anomalies indicating potential fraud or error. Setting materiality thresholds determines the significance of identified misstatements, influencing audit focus. A variance exceeding 5% in transaction volumes might indicate a material misstatement that warrants further investigation.

Weeks 5-7: IT Audit Planning Part III

Understanding internal controls is essential to assess risks and develop testing strategies. Examples include access controls like multi-factor authentication, segregation of duties, and logging mechanisms. Effective controls mitigate risks; for instance, restricted access to financial data reduces the likelihood of fraud. IT audit controls are tested through control tests such as reviewing user access logs, validating password policies, and testing backup procedures.

Weeks 7-9: Evidence Gathering

Gathering sufficient and appropriate evidence is pivotal. Techniques include audit sampling—selecting a representative subset of transactions to review—such as testing 50 out of 5000 transactions. Tests of controls involve verifying system login procedures; substantive tests of detail might include confirming the existence of transactions through supporting documentation. Analytical procedures compare current period data with prior periods to identify inconsistencies. Employing specialists, like IT forensic experts, may be necessary when complex issues arise, such as investigating cyber fraud.

Weeks 9-11: Audit Reporting

Developing an audit report requires careful analysis of findings. For example, if a subsequent event like a data breach occurs after fieldwork but before report issuance, this must be disclosed. The auditor assesses going concern assuming the client’s ability to continue as a viable entity, considering financial and operational indicators. The report's tone and content should clearly communicate issues, limitations, and recommendations. Addressing the expectations gap—participants’ misunderstanding of audit scope—ensures transparent communication with stakeholders. Legal liabilities may arise if material misstatements are overlooked, emphasizing professional diligence.

Weeks 11-12: Portfolio Compilation and Presentation

The final stage involves assembling the audit work into a comprehensive portfolio. This should reflect critical analysis, methodical organization, and clarity. Effective presentation enhances understanding and demonstrates professional competence. Proper referencing of sources like standards from ISACA, IAASB, and academic literature reinforces credibility. The portfolio should encompass all phases, supporting the conclusion with well-structured narratives and illustrative examples.

References

• International Federation of Accountants. (2020). Code of Ethics for Professional Accountants. IFAC.
• ISACA. (2021). IT Governance and Assurance Standards. ISACA.
• Institute of Internal Auditors. (2022). International Standards for the Professional Practice of Internal Auditing.
• Bierstaker, J., Burnaby, P., & Thibodeau, J. (2001). The role of IT in financial statement audits. Journal of Accounting Literature, 20, 8-22.
• Leitch, J. A., & Croy, J. (2020). Cybersecurity and audit procedures. Technology & Governance Journal, 3(2), 65-78.
• Arnab, P., & Kumar, S. (2019). Internal controls and effective audit strategies. Auditing: A Journal of Practice & Theory, 38(4), 193-210.
• Public Company Accounting Oversight Board. (2023). Standards on Auditing.
• Patel, N., & Venkatesh, M. (2022). Fraud risk assessment in IT auditing. Journal of Financial Crime, 29(4), 1021-1034.
• Turnbull, S. (2018). Risk management in IT auditing. International Journal of Auditing, 22(3), 341-355.
• Wells, J. T. (2017). Cybersecurity controls in financial systems. Internal Audit, 34(5), 16-21.