Financial Attest audit is the most widely prevalent, followed by security evaluations. This trend is common to all categories of SAIs though the percentages are high for SAIs who have more than 75% IT Auditees.
In most countries, auditees are not required to consult or inform the SAI before introducing IT-based systems. However, a number of SAIs do get involved during the development phase of the IT systems of auditees, primarily with a view to providing an audit trail for themselves. Some SAIs even approve system design and perhaps see no difficulty in this arrangement. Some get involved for ensuring adherence to prescribed standards/methodologies or for incorporating "embedded audit modules".
The majority of SAIs undertake IT audit during the normal audit cycle though some do so at the design/development stage or soon after implementation.
SAIs seem to prefer using both IT experts and generalist auditors for conducting their EDP audits as shown below. The practice of engaging IT professionals (external consultants) for assisting the EDP audit teams is also prevalent.
|
|
|
39 SAIs have stated that they either have evolved or follow guidelines for auditing EDP systems; 46 SAIs replied that they do not have such guidelines. The proportion of SAIs using the such guidelines is higher among the SAIs who have more EDP auditees.
SAIs by and large have the legal right to get magnetic data from their auditees.
| Yes | No | Not certain | |
| Have legal right | 69 | 11 | 14 |
Of the 69 SAIs who have the right, 58 do not have restrictions on this right while 10 have some restrictions. 40 of the 69 SAIs follow special security procedures while dealing with auditees' magnetic data.
