This is my last week on this client. I finally understand the flow of walk-throughs. The first step is to Identify in scope IT applications that we will be testing or looking into further. I mentioned before that applications that can have financial impact are typically in scope. Next we determine which relevant IT applications are in scope for IT process procedures (i.e., an ITGC-reliance strategy or an IT-substantive strategy is being used). Then we Identify IT processes and relate them to IT applications. These steps lay the beginning foundation to the IT Audit.
The above steps take some time but after you have done the same client, it becomes easier because previous steps are already identified. However, if the client changes applications, we might have to start from scratch. The next section of work revolves around identifying and addressing IT risks. In order to champion this section, we have to obtain an understanding of the IT processes so that we can identify the IT risks that may occur for each IT process. Once we determine whether we have IT general controls or substantive procedures, we move on to testing.
Summary documentation is important as it helps us review and validate that the appropriate IT applications are in scope. We confirm whether the IT risks are reasonable and relevant to controls in place. At this time, the client decides on how to mitigate the risk or except the risk. Depending on size and structure, a small company with one IT person might accept the risk. However, a larger facility, like Point Park would most likely look into removing the risks completely.
I was fortunate enough to work on a client that had similar findings so I didn’t have to start from scratch. This enabled me to get a better view of the work involved and I can see how complicated planning can get when the company has 100,000+ employees. I took note that programming and pretty much all IT courses are helpful because we are communicating with IT professionals. Majoring in both Accounting and IT gives me leverage that allows me to keep up with the meeting and not have so many follow-up questions. I found myself downplaying the importance of Statistics, but it is definitely needed and I have real world experience why that is. IT/Risk Audit is a very interesting side of IT.