Subsystem Interaction and Reliability

Auditors usually begin their analysis with the lowest level of subsystem activity attempting to identify all the different types of events that occur in these subsystems. Through this effort, the auditor begins to build a vision of what happens in the organization's business processes. Auditors must be mindful of two levels of prohibited events, prohibited events that are presently occurring and prohibited events that might occur in the future. In this vein, it is important for the auditor to focus her attention on the major process functions and how each subsystem supports the process's mission. One of the most important aspects of identifying permissible events in management subsystems is the determination of how a particular function should be performed within the subsystem. After the auditor performs research in the management subsystem, it should be clear how the management subsystems vary between circumstances in each relevant business unit.

A valid basis for identifying events in applications subsystems, attention must be placed on the transactions that occur as data is input to the subsystem. Events in an application subsystem cause changes in the application's state when the data is received in the form of input. More events take place as the application processes the transaction. Permitted events occur if the transaction and processing are authorized, complete, accurate, and not redundant. If anything otherwise occurs, a prohibited event occurred.

Risks Affecting Auditors

Information technology auditors must be concerned with four essential goals:

• Safeguarding critical assets

• Data integrity

• System effectiveness

• System efficiency

All auditors must consider that errors or irregularities will cause financial losses to the organization. Auditors collect evidence to achieve their goals, but there are inherent risks in these efforts. There is a risk that auditors may fail to detect actual or potential misstatements or process errors through the course of the audit. Experienced auditors approach and design their audit programs in such a fashion as they can fully articulate and document their efforts to minimize audit risks. If they fail to adequately address audit risk, audit results will not be valid and will not represent the true state of the system.

Assessing the levels of control risk associated within an audit segment, auditors consider the reliability of, and implementation of management and application controls. It is important to remember that management controls are fundamental controls in that they govern all application systems. In this hierarchical view, the absence of some or all management controls is a serious matter and reason for immediate action on the part of senior managers.

Once auditors have evaluated a management control and it is discovered that it spans the business unit's operation, it should function in relevant subsystem applications. For example, if an auditor reviews an adequate sample and discovers that an organization enforces high documentation standards of software development, it is likely these standards are enforced throughout the software development unit. Therefore, it is unlikely the auditor will review all documentation in all software development projects. Rather, she will select a representative amount ensuring that adequate documentation standards are observed thereby addressing any audit risk.

Experienced auditors estimate the level of detection risk they might achieve within a given set of audit procedures. They develop a good understanding of the probability these procedures have in detecting material loss or misstatements. It is very important that auditors choose audit procedures that provide the organization with an acceptable level of detection risk. In light of deadlines and limited resources, addressing audit risks must be focused on areas where they can deliver the highest payoffs.

Frequently, auditors cannot collect evidence to the extent they would prefer because they must spread their abilities among so many demands. They must be careful in the terms of where they apply their audit practice and how they interpret the evidence they collect. Throughout the audit, they must continuously make decisions based on their experience and training. It is their knowledge of audit methodology, material evidence collection and acceptable risks that guides them in making decisions as to what should be reported, to whom, and when.

Generally Accepted Government Auditing Standards (GAGAS)

According to GAGAS 4.21, auditors should obtain a sufficient understanding of internal control to plan the audit and determine the nature, timing, and extent of tests to be performed. According to GAGAS 4.21.1, auditors must consider the following when conducting an audit:

• The extent to which computer processing is used in each significant accounting application

• The complexity of the entity's computer operations

• The organizational structure of the computer processing activities

• The kinds and competence of available evidential matter in electronic and paper formats to achieve audit objectives

Audit Procedures

Auditors generally use five types of procedures in collecting evidence for their audits:

1. Procedures in obtaining an understanding of system controls. Auditors will make inquiries, inspections, and observations to obtain an understanding of the controls that exist, the design of the controls, and whether the controls have been implemented. Inquiries, inspections, and observations can be used in obtaining an understanding of the controls affecting the company's asset safeguards. It is important to remember the three critical asset pillars: human resources, data, and physical facilities.

2. Tests of controls. Auditors will make inquiries, inspections, observations, and reperformance of control procedures to determine whether controls are operating effectively and efficiently. These tests deal with whether controls have been designed and whether they are effectively operating. For example, the auditors will determine if the operations manager reviews system response times and what substantive steps she has taken to address unacceptable system response times.

3. Transactions tests. These tests are designed by the auditors to detect errors or irregularities in system transactions that affect the organization. For example, an auditor would verify that accounts payable transactions are correctly posted in the business' financial journals and ledgers. Auditors must evaluate the limits of transaction effectiveness and efficiency. For example, auditors sample system response times for individual transactions attempting to determine if they are within acceptable limits.

4. Analytical review. Tests of an analytical nature look at relationships between data items in identifying areas. For example, an auditor examines two years of inventory levels to determine if there are substantive levels of fluctuation requiring further investigation. Auditors may employ similar procedures in evaluating the effectiveness and efficiency of an organization's operation: These are comparisons between two related procedures concerning effectiveness and efficiency. For example, auditors will design a model where the amount of document processing by the system is evaluated and compared with the previous two years.

5. Tests of system results. These are tests of management's assertions regarding effectiveness and efficiency. For example, senior IT management may assert that system response time over the past two years is three seconds. Auditors will design a sampling technique where a survey of system users is made to determine the validity of this assertion for the applicable period.