Auditing Issues and Implication
By: Tasha • Research Paper • 2,183 Words • May 12, 2010 • 1,108 Views
Auditing Issues and Implication
Auditing Issues and Implication:
Engagement Risk: Since Pentagon is government organizations, normal business risk does not apply to this engagement. The engagement risk is mainly derived from the legal consequence of our audit approaches. For example, testing the individual application controls like back up, the most effective way is to pretend a real attack, and examine the reaction of that specific control. However, such pretended attack may cause serious legal issues due to the client’s nature of organization.
Legal issues: also likely to arise when the engagement team is overwhelmed by confidential information they can access during the engagement. Keeping the client’s information confidential should be the top priority for this engagement. Therefore the firm must pre-negotiate with the client to determine what security procedures the client expects the engagement team members to follow.
Staffing issue: Due the special nature of the client and it’s control systems are complicated more experienced and competent seniors are preferred. In addition, IT specialists are required to join the audit team to assist the team about IT environment.
Reporting issue: The format of the engagement report needs to be discussed and agreed with the client prior engagement. Since the client is government organization, the reporting format should follow audit standards for government. And the distribution of the reported needs special attention to ensure confidentiality is protected.
General Control: General control issues as discussed above are moderately pervasive. The auditing on general control should be emphasized on assessing controls over data network and access security. This is especially important because the organization unusual non-email communication internally, which may easily cause errors.
We must also examine organization’s current policies regarding system review and system changes, and find out if properly procedures are followed, for example, proper authorization, cost/benefit analysis is conducted or not.
Auditing strategy
The following strategies are suggested for this engagement:
• Maybe able to rely on the general control
• Work closely with the organization’s internal control team and use observation, enquiry, and reviewing documentations to access control weaknesses
• Ensuring any system changes or system reviews are conducted properly
• CAAT can be used for certain application controls. For example, to audit system damage review control, CAAT can help auditors know if the system still functions well
1. Audit risk should be set as low for a number of reasons. For one, the internal controls are weak and inadequate. The Pentagon does not have appropriate IS access controls and as such is susceptible to attack. Inherent risk is high for all assertions as the system is susceptible to attack by a number of parties (i.e. terrorists, nation-states, recreational hackers). Control risk is also high as the control environment is adequate at best and a number of control activities need to be implemented.
2. The auditor should perform a detailed fraud-risk analysis for this audit. Given the number of attacks in the past and the continued security threat that the Pentagon faces, the auditor needs to be mindful of fraud and asses the control environment and all other factors to ensure that the probability of material misstatement as a result of fraud is minimized. The Pentagon is especially vulnerable to misappropriation of assets.
3. The auditor should use a combined approach during the audit. A substantive approach, although applicable for non-computer activities, cannot be used to evaluate the computer and accounting system. Auditing “through” the computer is required as the system in place is a large part of the control environment and needs to be evaluated to asses inter control and determine the extent of substantive tests.
4. Audit trails may be difficult to find or use as a result of inadequate control design procedures and the inherent sensitivity of government data. As a result, CAATS may be required extensively throughout the audit to match source to destination or vice versa. As CAATS can test large volumes of information with good accuracy and speed, it is most likely the most economical option.
The staff should be well trained and keep mind the sensitive nature of the information that is provided to them. They have to ensure that it is kept confidential, as a breach would be detrimental. Employee screening is very crucial because the information