GTAG11 - The Institute of Internal Auditors

GTAG11-cover GTAG 11: Developing the IT Audit Plan
Results from several IIA external quality assessment reviews reveal that developing an appropriate IT audit plan is one of the weakest links in internal audit activities. Many times, internal auditors simply review what they know or outsource to other companies, letting them decide what to audit.

To this end, Developing the IT Audit Plan can help CAEs and internal auditors:

Understand the organization and how IT supports it.
Define and understand the IT environment.
Identify the role of risk assessments in determining the IT audit universe.
Formalize the annual IT audit plan.

This GTAG also provides an example of a hypothetical organization to show how to execute the steps necessary to define the IT audit universe.

TABLE OF CONTENTS
1. Executive Summary
2. Introduction
2.1 IT Audit Plan Development Process
3. Understanding the Business
3.1 Organizational Uniqueness
3.2 Understanding the Operating Environment
3.3 IT Environment Factors
4. Defining the IT Audit Universe
4.1 Examining the Business Model
4.2 Role of Supporting Technologies
4.3 Annual Business Plans
4.4 Centralized and Decentralized IT Functions
4.5. IT Support Processes
4.6. Regulatory Compliance
4.7. Define Audit Subject Areas
4.8. Business Applications
4.9. Assessing Risk
5. Performing a Risk Assessment
5.1 Risk Assessment Process
5.1.1 Identify and Understand Business Objectives
5.1.2 Identify and Understand IT Strategy
5.1.3 IT Universe
5.2 Ranking Risk
5.3 Leading IT Governance Frameworks
6. Formalizing the IT Audit Plan
6.1 Audit Plan Context
6.2 Assurance and Consulting Services Requests
6.3 Audit Frequency
6.4 Audit Plan Principles
6.5 The IT Audit Plan Content
6.6 Integration of the IT Audit Plan
6.7 Validating the Audit Plan
6.8 The Dynamic Nature of the IT Audit Plan
6.9 Communicating, Gaining Executive Support, and Obtaining Plan Approval
Appendix: Hypothetical Company Example

Authors
Kirk Rehage, Chevron Corp. : : Steve Hunt, Crowe Chizek and Co. LLC
Fernando Nikitin, Inter-American Development Bank

Download a free copy of this GTAG (PDF, 1MB).
Purchase a printed version.
Download form for permission to translate to another language(PDF, 20KB).

Quick Search Advanced Search Site Map IIA Popular Pages About the Profession New Fraud Guidance Virtual Seminars CIA Preparation GTAG Series		Home / Professional Guidance / Information Technology / GTAG / GTAG11 GTAG 11: Developing the IT Audit Plan Results from several IIA external quality assessment reviews reveal that developing an appropriate IT audit plan is one of the weakest links in internal audit activities. Many times, internal auditors simply review what they know or outsource to other companies, letting them decide what to audit. To this end, Developing the IT Audit Plan can help CAEs and internal auditors: Understand the organization and how IT supports it. Define and understand the IT environment. Identify the role of risk assessments in determining the IT audit universe. Formalize the annual IT audit plan. This GTAG also provides an example of a hypothetical organization to show how to execute the steps necessary to define the IT audit universe. TABLE OF CONTENTS 1. Executive Summary 2. Introduction 2.1 IT Audit Plan Development Process 3. Understanding the Business 3.1 Organizational Uniqueness 3.2 Understanding the Operating Environment 3.3 IT Environment Factors 4. Defining the IT Audit Universe 4.1 Examining the Business Model 4.2 Role of Supporting Technologies 4.3 Annual Business Plans 4.4 Centralized and Decentralized IT Functions 4.5. IT Support Processes 4.6. Regulatory Compliance 4.7. Define Audit Subject Areas 4.8. Business Applications 4.9. Assessing Risk 5. Performing a Risk Assessment 5.1 Risk Assessment Process 5.1.1 Identify and Understand Business Objectives 5.1.2 Identify and Understand IT Strategy 5.1.3 IT Universe 5.2 Ranking Risk 5.3 Leading IT Governance Frameworks 6. Formalizing the IT Audit Plan 6.1 Audit Plan Context 6.2 Assurance and Consulting Services Requests 6.3 Audit Frequency 6.4 Audit Plan Principles 6.5 The IT Audit Plan Content 6.6 Integration of the IT Audit Plan 6.7 Validating the Audit Plan 6.8 The Dynamic Nature of the IT Audit Plan 6.9 Communicating, Gaining Executive Support, and Obtaining Plan Approval Appendix: Hypothetical Company Example Authors Kirk Rehage, Chevron Corp. : : Steve Hunt, Crowe Chizek and Co. LLC Fernando Nikitin, Inter-American Development Bank Download a free copy of this GTAG (PDF, 1MB). Purchase a printed version. Download form for permission to translate to another language(PDF, 20KB).		Global Technology Audit Guides (GTAG^®) Guide 1 Guide 2 Guide 3 Guide 4 Guide 5 Guide 6 Guide 7 Guide 8 Guide 9 Guide 10 Guide 11 IT Resources Review some of the latest IT Resources available for IT auditing. GAIT Project Learn more about the ongoing IT auditing guidance project known as the Guide to the Assessment of ITGeneral Controls Scope Based on Risk (GAIT). Information Technology