Internal Audit Program
Management should develop and follow a formal internal audit program consisting of policies and procedures that govern the internal audit function, including IT audit.
An institution's internal audit program consists of the policies and procedures that govern its internal audit functions, including risk-based auditing programs and outsourced internal audit work, if applicable. While smaller institutions' audit programs may not require the formality of those found in larger, more complex institutions, all audit programs should include
- A mission statement or audit charter outlining the purpose, objectives, organization, authorities, and responsibilities of the internal auditor, audit staff, audit management, and the audit committee.
- A risk assessment process to describe and analyze the risks inherent in a given line of business. Auditors should update the risk assessment at least annually, or more frequently if necessary, to reflect changes to internal control or work processes, and to incorporate new lines of business. The level of risk should be one of the most significant factors considered when determining the frequency of audits.
- An audit plan detailing internal audit's budgeting and planning processes. The plan should describe audit goals, schedules, staffing needs, and reporting. The audit plan should cover at least 12 months and should be defined by combining the results of the risk assessment and the resources required to yield the timing and frequency of planned internal audits. The audit committee should formally approve the audit plan annually, or review it annually in the case of multi-year audit plans. The internal auditors should report the status of planned versus actual audits, and any changes to the annual audit plan, to the audit committee for its approval on a periodic basis.
- An audit cycle that identifies the frequency of audits. Auditors usually determine the frequency by performing a risk assessment, as noted above, of areas to be audited. While staff and time availability may influence the audit cycle, they should not be overriding factors in reducing the frequency of audits for high-risk areas.
- Audit work programs that set out for each audit area the required scope and resources, including the selection of audit procedures, the extent of testing, and the basis for conclusions. Well-planned, properly structured audit programs are essential to strong risk management and to the development of comprehensive internal control systems.
- Written audit reports informing the board and management of individual department or division compliance with policies and procedures. These reports should state whether operating processes and internal controls are effective, and describe deficiencies as well as suggested corrective actions. The audit manager should consider implementing an audit rating system (for example, satisfactory, needs improvement, unsatisfactory) approved by the audit committee. The rating system facilitates conveying to the board a consistent and concise assessment of the net risk posed by the area or function audited. All written audit reports should reflect the assigned rating for the areas audited.
- Requirements for audit work paper documentation to ensure clear support for all audit findings and work performed, including work paper retention policies.
- Follow-up processes that require internal auditors to determine the disposition of any agreed-upon actions to correct significant deficiencies.
- Professional development programs to be in place for the institution's audit staff to maintain the necessary technical expertise.
All institutions are encouraged to implement risk-based IT audit procedures based on a formal risk assessment methodology to determine the appropriate frequency and extent of work. See the "Risk Assessment and Risk-Based Auditing" section of this booklet for more detail.
IT audit procedures will vary depending upon the philosophy and technical expertise of the audit department and the sophistication of the data center and end-user systems. However, to achieve effective coverage, the audit program and expertise of the staff must be consistent with the complexity of data processing activities reviewed. The audit procedures may include manual testing processes or computer-assisted audit programs (discussed later in this section).
The audit department should establish standards for audit work papers, related communications, and retention policies. Auditors should ensure that work papers are well organized, clearly written, and address all areas in the scope of the audit. They should contain sufficient evidence of the tasks performed and support the conclusions reached. Formal procedures should exist to ensure that management and the audit committee receive summarized audit findings that effectively communicate the results of the audit. Full audit reports should be available for review by the audit committee. Policies should establish appropriate work paper retention periods. Institutions should consider conducting their internal audit activities in accordance with professional standards, such as the Standards for the Professional Practice of Internal Auditing issued by the Institute for Internal Auditors (IIA), and those issued by the Standards Board of the Information Systems Audit and Control Association (ISACA). These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality assurance reviews.
IT auditors frequently use computer-assisted audit techniques (CAATs) to improve audit coverage by reducing the cost of testing and sampling procedures that otherwise would be performed manually. CAATs include many types of tools and techniques, such as generalized audit software, utility software, test data, application software tracing and mapping, and audit expert systems. CAATs may be:
- Developed by internal programming staff or by outside programmers with audit department supervision;
- Purchased generalized audit software, e.g., audit packages offered by CPA firms or software vendors;
- Developed by IT auditors; or
- Acquired from equipment manufacturers and software houses to analyze machine, programmer, and operations efficiency.
Whatever the source, audit software programs should remain under the strict control of the audit department. For this reason, all documentation, test material, source listings, source and object program modules, and all changes to such programs, should be strictly controlled. In installations using advanced software library control systems, audit object programs may be catalogued with password protection. This is acceptable if the auditors retain control over the documentation and the appropriate job control instructions necessary to retrieve and execute the object program from the libraries where it is stored. If internal control procedures within the computer system do not allow for strict audit control, audit programs should not be catalogued. Computer programs intended for audit use should be documented carefully to define their purpose and to ensure their continued usefulness and reliability.
CAATs may be used in performing various audit procedures, including the following:
- Tests of transactions and balances, such as recalculating interest;
- Analytical review procedures, such as identifying inconsistencies or significant fluctuations;
- Compliance tests of general controls, such as testing the set-up or configuration of the operating system or access procedures to the program libraries;
- Sampling programs to extract data for audit testing;
- Compliance tests of application controls such as testing the functioning of a programmed control;
- Recalculating entries performed by the entity's accounting systems; and
- Penetration testing.
These tools and techniques can also be used effectively to check data integrity by testing the logical processing of data "through" the system, rather than by relying only on validations of input and output controls.
Risk Assessment and Risk-Based Auditing