Planning the audit
This is usually the first step in any audit. It is important to have a plan for an audit so as to ensure that the audit will be effective. During the planning stage, the auditor collects information about the organization where they will perform the audit. Such information is usually obtained after the auditor has been contracted and they have a meeting with the organization. The meeting with the organization is very important for the auditor. The meeting provides an opportunity for the organization to communicate to the auditor what they exactly need from the audit. The organization will provide details such as when they require the audit to be done. Using such information, the auditor will plan their schedule so that it is convenient for them and the organization they are auditing (Senft & Gallegos, 2013).
Gathering data
The second step will be gathering of actual data related to the resources being audited. For instance, in an IT audit, the organization should have a record of all IT resources in their possession (Senft & Gallegos, 2013). The auditor will gather this data in order to ensure that every resource is accounted for. Each resource is meant to perform a certain function and the auditor will gather data to prove whether each resource is being utilized as intended. For software resources, the auditor will usually use the documentation to determine whether the software works as designed.
Testing controls
Many systems will have inbuilt controls. For instance, in many organizations, cash withdrawals can only be made after obtaining signatures from two or three signatories. The auditor will then test the controls after gathering data to determine whether they are working as intended. During the testing stage, it is likely that some controls will be found to be defective. Changes are therefore made on these controls to ensure that they work as intended (Senft & Gallegos, 2013).
Test changes
Changes are made in order to ensure that the resources being audited or the controls within the resources are working as intended. However, after the changes are actually made, it cannot be determined that they will work as expected before testing is done. The testing phase involves running the resources and controls as expected during normal working. However, test data is used where the results are already known. If the system returns the expected changes after the test, the changes can be said to be effective.
Analyze, report findings and respond to organization queries
After the changes have been made and testing has been conducted to ensure that they work as expected, the findings of the audit are analyzed. This involves compiling the data for the things that were working as expected, what was not working as well as what has been changed. All these findings are reported to the organization management. After the findings have been handed over to the organization, the auditor has to give the organization an opportunity to ask questions. The auditor will then respond to any queries or issues raised by the organization before proceeding (Senft & Gallegos, 2013).
Issue final report and recommendations
The final report should be all-inclusive. It details every activity carried out during the audit. It is important to document every auditing activity so as to ensure that the correct procedures were followed. This allows for replication of the audit. In case of any problems, the documentation can be used to identify the possible areas where the problems arose. The handing over of the final audit report to the organization is usually the indicator of the end of the audit process.
Reference
Senft, S., & Gallegos, F. (2013). Information technology control and audit. CRC Press.
