GTAG 11 presentation (PPT, 350KB)
Global Technology Audit Guide (GTAG) series
Guide to the Assessment of IT Risk (GAIT) series
IT Audit Guidance main page
GTAG 11: Developing the IT Audit Plan
Download (members only): PDF, 2.9MB
Purchase from The IIA Research Foundation Bookstore
Rate this guide
Results from several IIA external quality assessment reviews reveal that developing an appropriate IT audit plan is one of the weakest links in internal audit activities. Many times, internal auditors simply review what they know or outsource to other companies, letting them decide what to audit.
To this end, Developing the IT Audit Plan can help CAEs and internal auditors:
- Understand the organization and how IT supports it.
- Define and understand the IT environment.
- Identify the role of risk assessments in determining the IT audit universe.
- Formalize the annual IT audit plan.
This GTAG also provides an example of a hypothetical organization to show how to execute the steps necessary to define the IT audit universe.
TABLE OF CONTENTS
1. Executive Summary
2. Introduction
2.1 IT Audit Plan Development Process
3. Understanding the Business
3.1 Organizational Uniqueness
3.2 Understanding the Operating Environment
3.3 IT Environment Factors
4. Defining the IT Audit Universe
4.1 Examining the Business Model
4.2 Role of Supporting Technologies
4.3 Annual Business Plans
4.4 Centralized and Decentralized IT Functions
4.5. IT Support Processes
4.6. Regulatory Compliance
4.7. Define Audit Subject Areas
4.8. Business Applications
4.9. Assessing Risk
5. Performing a Risk Assessment
5.1 Risk Assessment Process
5.1.1 Identify and Understand Business Objectives
5.1.2 Identify and Understand IT Strategy
5.1.3 IT Universe
5.2 Ranking Risk
5.3 Leading IT Governance Frameworks
6. Formalizing the IT Audit Plan
6.1 Audit Plan Context
6.2 Assurance and Consulting Services Requests
6.3 Audit Frequency
6.4 Audit Plan Principles
6.5 The IT Audit Plan Content
6.6 Integration of the IT Audit Plan
6.7 Validating the Audit Plan
6.8 The Dynamic Nature of the IT Audit Plan
6.9 Communicating, Gaining Executive Support, and Obtaining Plan Approval
Appendix: Hypothetical Company Example
Authors
Kirk Rehage, Chevron Corp.
Steve Hunt, Crowe Horwath LLP
Fernando Nikitin, Inter-American Development Bank
Questions for the authors about this guide? E-mail technology@theiia.org.