AUDIT PROCEDURES ARE SYSTEMS Several steps are required to perform an audit. The systems auditor must assess the overall risks and then develop an audit program that consists of control objectives and audit procedures that must meet those objectives. The audit process requires the systems auditor to gather: AUDIT PLANNING Proper planning is the first step necessary to perform effective system audits. The systems auditor must understand the business environment in which the audit is to be performed as well as the business risks and associated control. AREAS THAT MUST BE COVERED DURING THE PLANNING OF THE AUDIT: to. Understanding of the business and its environment. The systems auditor must have a sufficient understanding of the total environment being reviewed. It should include a general understanding of the various business practices and functions related to the subject of the audit, as well as the types of systems used. The systems auditor must also understand the regulatory environment in which the business operates. For example, a bank will be required to have integrity requirements for information and control systems that are not present in a manufacturing company. The steps that a systems auditor can carry out to obtain an understanding of the business are: Go through the facilities of the entity. Reading of background material that includes publications on that industry, reports and financial reports. Interviews with key managers to understand essential business issues. Study of reports on norms or regulations. Review of long-term strategic plans. Review of previous audit reports. b. Risk and audit materiality. Audit risks can be defined as those risks that the information may have material errors or that the systems auditor cannot detect an error that has occurred. Audit risks can be classified as follows: Inherent risk: When a material error cannot be prevented from happening because there are no related compensatory controls that can be established. Control Risk: When a material error cannot be avoided or detected in a timely manner by the internal control system. Detection risk: It is the risk of the auditor performing successful tests based on an inappropriate procedure. The auditor can conclude that there are no material errors when there really are. The word "material" used with each of these components or risks, refers to an error that should be considered significant when an audit is carried out. In an information systems audit, the definition of material risks depends on the size or importance of the audited entity as well as other factors. The systems auditor should have a thorough understanding of these audit risks when planning. An audit may not detect each of the potential errors in a universe. But, if the sample size is large enough, or adequate statistical procedures are used, the probability of detection risk is minimized. Similarly, when evaluating internal controls, the systems auditor should perceive that in a given system a minimum error can be detected, but that error, combined with others, may turn into a material error for the entire system. The materiality in the systems audit must be considered in terms of the total potential impact for the entity rather than some monetary-based measure. c. Risk assessment techniques. In determining which functional areas or audit issues to be audited, the systems auditor may face a wide variety of audit candidate issues, the systems auditor should assess those risks and determine which of those high-risk areas should be audited. . There are four reasons why risk assessment is used, these are: Allow management to allocate necessary resources for the audit. Ensure that relevant information has been obtained from all management levels, and ensures that the activities of the audit function are correctly directed to high-risk areas and constitute an added value for management. Establish the basis for the organization of the audit in order to effectively manage the department. Provide a summary that describes how the individual audit issue relates to the overall organization of the company as well as the business plans. d. Control objectives and audit objectives. The objective of a control is to cancel a risk following some methodology, the audit objective is to verify the existence of these controls and that they are functioning efficiently, respecting the company's policies and objectives.