MARCO TEÓRICO.

Planning is fundamental to successful auditing. Bad planning typically results in a failure to achieve the audit objectives as well as the con- ducting of audits being either insufficient in scope with unidentified risks resulting in incomplete audits, or alternatively over-auditing and making inefficient use of resources.

One of the more common mistakes made by Information Tech- nology (IT) auditors is proceeding to implementation of the audit without having a clearly thought-out plan.

Planning is one of the most fundamental management techniques and yet one of the most badly executed techniques. In order for an audit to be effective it must, by definition, achieve its objectives. It is critical that the auditor fully understand these objectives before the audit commences. A structured, well-documented audit plan identi- fies and establishes the criteria against which a successful audit will be measured. The planning process involves:

■ _{Identifying the tasks to be performed in the course of an audit} ■ _{Allocation of those tasks to specific auditors}

■ _{Deciding when a task should commence}

■ _{Quantification of the duration of each individual task based upon} the auditor allocated

The primary stage of planning any audit, computer or non-com- puter, is obtaining a clear understanding of the business objectives of the area under review. For example, the overall business objective of a procurement function may be seen as buying things. This, in turn, leads to the definition of the control objectives of the business area; for example, ensuring that goods are procured at the right price, at the right time, in the right quantity, in the right quality, for delivery to the right place.

Once the control objectives of the area under review are clearly and fully understood, the auditor may then proceed to identify those controls relied upon by the user to ensure that the control objectives are achieved. Many of these controls will be preventative and will not themselves leave a clear audit trail of the control efficiency and effec- tiveness. As a result, the auditor may have to look elsewhere for evi- dence that the controls are achieving that which was intended, and that the control objectives in fact are being achieved.

Once the auditor has identified the source of evidence as to the achievement of the control objectives, the appropriate audit technique and audit tools may be selected.

If these steps are omitted and the auditor proceeds directly to the interrogation of computer systems and the running of Computer Assisted Audit Techniques (CAATs), an audit will result that cannot be seen to be achieving its goals and objectives because the goals and objectives were unknown when the audit took place.

Only with careful consideration and planning can a successful audit occur.

The Elements

An audit should include:

■ _{Tentative determination of the objectives and scope of the audit.} This includes determining the objectives of the audit in consulta- tion with the auditees as well as what is to be included within the

scope of the audit and what will not be included. Once the objec- tives and scope have been finalized and agreed, an engagement letter clarifying the agreed scope and objectives should be sent to the client so that, at a later stage, no misunderstanding will arise as to what had been agreed would and would not be audited. ■ _{At this stage, the auditor will seek to determine the overall busi-}

ness objectives of the area to be reviewed as well as the control objectives. The background information regarding the area to be audited must be gathered. This involves a reading of operating procedure manuals and discussions with operating management in order to obtain the whole picture. This theory will be combined with a more practical approach involving interviewing user staff in order to both evaluate their understanding of the business and to confirm the auditor’s understanding. Site visits to observe the operation of specific business functions will also help. Further information and confirmation may be derived by comparing the current understanding of the controls to those identified and in operation during previous reviews.

The major products and services that are the key activities involved in meeting the business objectives must be identified. Once again, this will involve determining the level of manage- ment’s understanding of their own key performance areas (KPAs). ■ _{For each KPA, performance objectives must be established. This} involves seeking core activity targets that are both achievable and, at the same time, stretching. Key performance indicators (KPIs) must be identified that will enable the performance to be mea- sured appropriately. The risks and threats that could lead to non- achievement, underachievement, or even failure must then be assessed. Both external and internal threats must be considered.

Internal threats are those over which management has complete

control, such as choice of vendor.

External threats are those that management cannot directly con-

trol, but for which they must nevertheless develop a coping strat- egy, such as interest rate fluctuations or actions by competitors. ■ _{The overall intention of a specific audit may be classified as review-}

ing the design of the internal control system for adequacy, tests of compliance with the designed control system, and evaluation of the effectiveness of the implementation of the control system.

■ _{The selection of the audit team. In many cases the audit will be} conducted by a team of auditors that will include a mixture of dis- ciplines. Each team has typically several functions to perform, usually by different members of the team. These will include determining of objectives and scope, coordinating the work in- cluding assigning team members, coordinating the project with other work going on in the department at the same time, and reviewing all documentation for the audit process. In addition to these administrative functions, the conducting of the extended audit tests will be carried out by individual team members. In many smaller audits, or in departments where IT auditors are few, these functions are typically combined so that a single auditor will carry out all those functions. It is only once the team has been selected that the full time extent of the audit can be determined, because that time taken will be dependent upon the skills and experience of the individual team members.

■ _{Initial communication with the auditees and others involved in} the audit. Courtesy as well as good business of practice indicates that the auditor should notify the auditee and selected others prior to the commencement of the audit. This permits the audi- tees to make necessary preparation and arrange access to records, employees, and facilities. At this point it is appropriate for the audit team leader to draft an engagement letter outlining the information pertaining to the forthcoming audit. This letter con- firms discussions with the auditees and agreements reached on scope and objectives.

Obviously there are times—for example, fraud audits—where such preliminary communication would not be carried out in the same manner if, indeed, at all.

■ _{Preparation of the preliminary audit program. One of the most} critical areas in the planning process is establishing the audit pro- gram. This program is a detailed list of analytical steps to be car- ried out during the course of the audit. Preparation of this program enables the assignment of individual auditors to indi- vidual tasks within the overall audit. This is essential in time man- agement because individual auditors do not work at the same rates. Auditor productivity will be heavily dependent on the indi- vidual auditor’s experience and knowledge of the areas under review.

It should be stressed that this audit program is purely prelim- inary and will be modified during the course of subsequent audit operations as new information comes to light. As such, time esti- mates at this stage are precisely that, estimates.

One of the most common mistakes in preparing the prelimi- nary audit program is to simply list the questions to be asked. While this is part of an audit program, the critical element is the determination of which evidence will be examined, and how, in order to answer those questions. An example of a bad audit pro- gram would include a step to “determine if all purchase orders are appropriately signed.” A better step would be “take a statis- tically significant sample of purchase orders and compare the sig- natures to the authorized signatures list in order to determine whether all purchase orders are appropriately signed.”

■ _{The planning of the audit report. The best audit in the world is a} waste of time and money if necessary improvements do not take place. In order for management to be convinced that changes to control procedures are necessary, the auditor must produce a report that is objective but persuasive, clear, concise, constructive, and timely. The audit report communicates the result of the audit to the auditees and others in the organization. The planning for the audit report begins at the preparation stage of the audit process. Ultimately, all audit work is carried out in anticipation of the final audit report. Many auditors see the audit report as largely non-productive work and a task to be rushed and disposed of as soon as possible at the end of the audit. Nothing could be further from the truth. If this stage is rushed, a poor-quality report will result. In many cases it will lie unread on a manager’s desk and will have very little impact on the organization as a whole. A well-written audit report will typically result in a rapid response from the appropriate management levels to resolve the issues included therein. The contents of the final report are obviously unknown at the planning stage, however, because most audit departments use standardized report layout, it should be possible for the auditor to envisage the structure and appearance of the final report even if the actual contents are unknown.

■ _{Approval for the audit approach. It is the responsibility of the} in-charge auditor to review and approve the audit program prior to the commencement of actual work by the audit team. This

review includes determining that the audit objectives and scope are as required and that the specific audit procedures including in the audit program will lead to those audit objectives being accomplished.