Lecture 6 - Advanced Auditing

Why must auditors consider IT risks?

They affect business continuity, data integrity, confidentiality, availability, and compliance.

What is the CIA model?

Availability, Integrity, Confidentiality.

Name IT-related compliance areas.

GDPR, ISO, NIS2, DORA.

What is an IT dependency?

A financial reporting process or control that relies on IT functioning correctly.

Examples of IT dependencies?

Automated controls, system calculations, interfaces, reports, segregation of duties in systems.

What happens if IT dependencies are unreliable?

Auditor cannot rely on controls; must increase substantive testing.

What are automated controls?

System-driven controls performing checks/approvals/calculations.

Why are reports an IT dependency?

They support key controls and audit evidence; reliability depends on ITGCs.

What are ITGCs?

Foundational controls ensuring reliable IT operations and automated controls.

What are the 3 core ITGC domains?

Change Management, Access Management, Continuity Management.

What is change management?

Controls over development, testing, and deployment of system changes.

Risks from poor change management?

Wrong system logic, wrong pricing, corrupted databases, bad data conversion.

What is access management?

Ensuring users have only appropriate system access.

Examples of access controls?

Authentication, authorization, access removal, privileged access monitoring.

Risks from weak access management?

Unauthorized data changes, segregation of duties issues.

What is continuity management?

Controls ensuring systems run reliably and can be restored.

Examples of continuity controls?

Backup/recovery, batch monitoring, intrusion detection, network security.

Risks from weak continuity controls?

Irrecoverable data loss, failed job processing, security breaches.

What are the two components of risk?

Likelihood and impact.

Preventive vs detective controls?

Preventive stop errors; detective identify them after occurrence.

What should auditors do when they identify an IT risk?

Determine controls that mitigate the risk and test them.

Why is the role of the accountant changing?

Increased automation, digital transformation, need for non-financial and forward-looking insights.

What new competencies do auditors need?

Data analytics, ITGC knowledge, cybersecurity understanding, digital process skills.