Subido por Harol Espinal M.


Several steps are required to perform an audit. The systems auditor must assess the overall
risks and then develop an audit program that consists of control objectives and audit
procedures that must meet those objectives.
The audit process requires the systems auditor to gather:
Proper planning is the first step necessary to perform effective system audits. The systems
auditor must understand the business environment in which the audit is to be performed as
well as the business risks and associated control.
to. Understanding of the business and its environment.
The systems auditor must have a sufficient understanding of the total environment being
reviewed. It should include a general understanding of the various business practices and
functions related to the subject of the audit, as well as the types of systems used. The systems
auditor must also understand the regulatory environment in which the business operates. For
example, a bank will be required to have integrity requirements for information and control
systems that are not present in a manufacturing company. The steps that a systems auditor
can carry out to obtain an understanding of the business are: Go through the facilities of the
entity. Reading of background material that includes publications on that industry, reports and
financial reports. Interviews with key managers to understand essential business issues. Study
of reports on norms or regulations. Review of long-term strategic plans. Review of previous
audit reports.
b. Risk and audit materiality.
Audit risks can be defined as those risks that the information may have material errors or that
the systems auditor cannot detect an error that has occurred. Audit risks can be classified as
follows: Inherent risk: When a material error cannot be prevented from happening because
there are no related compensatory controls that can be established. Control Risk: When a
material error cannot be avoided or detected in a timely manner by the internal control
system. Detection risk: It is the risk of the auditor performing successful tests based on an
inappropriate procedure. The auditor can conclude that there are no material errors when
there really are. The word "material" used with each of these components or risks, refers to an
error that should be considered significant when an audit is carried out. In an information
systems audit, the definition of material risks depends on the size or importance of the audited
entity as well as other factors. The systems auditor should have a thorough understanding of
these audit risks when planning. An audit may not detect each of the potential errors in a
universe. But, if the sample size is large enough, or adequate statistical procedures are used,
the probability of detection risk is minimized. Similarly, when evaluating internal controls, the
systems auditor should perceive that in a given system a minimum error can be detected, but
that error, combined with others, may turn into a material error for the entire system. The
materiality in the systems audit must be considered in terms of the total potential impact for
the entity rather than some monetary-based measure.
c. Risk assessment techniques.
In determining which functional areas or audit issues to be audited, the systems auditor may
face a wide variety of audit candidate issues, the systems auditor should assess those risks and
determine which of those high-risk areas should be audited. . There are four reasons why risk
assessment is used, these are: Allow management to allocate necessary resources for the
audit. Ensure that relevant information has been obtained from all management levels, and
ensures that the activities of the audit function are correctly directed to high-risk areas and
constitute an added value for management. Establish the basis for the organization of the
audit in order to effectively manage the department. Provide a summary that describes how
the individual audit issue relates to the overall organization of the company as well as the
business plans.
d. Control objectives and audit objectives.
The objective of a control is to cancel a risk following some methodology, the audit objective is
to verify the existence of these controls and that they are functioning efficiently, respecting
the company's policies and objectives.