For this assignment, you will continue using the Gail Industries Case Study. The audit for SCOPE is complete. As the IT manager, it is your responsibility to respond to the audit findings. Read
Audit Evidence Worksheet
InstructionsDescribe the evidence gathering process and the sampling methodologies the auditors may use for the controls being tested.
Complete the “Explanation of Findings” column for each of the control objectives with preliminary findings you expect the auditors will discover based on the “Partially Collected Audit Evidence” section of the case study.
Explain why you believe each is a finding. Refer to the “Control Objectives and Related Controls” section of the case study to support your findings.
Identify how you will inform leadership of findings and of what has been addressed during the audit.
Evidence gathering
We will gather evidence through the various types of audit testing and they include inquiry, observation, examination or inspection of evidence, re-performance, and lastly Computer Assisted Audit Technique (CAAT) (DeCesare, 2019).
Inquiry
According to DeCesare (2019) inquiry is whereby the auditor asks relevant questions to relevant personnel e.g. organization’s managers and notes down the response. An example is, are visitors visiting the data center escorted by authorized personnel at all times?
Observation
Observation will involve an auditor observing tasks as they happen (DeCesare, 2019). An example is an observer will be able to observe that a door is opened at all times by authorized personnel using a badge.
Examination or inspection of evidence
According to DeCesare (2019) examination is whereby “auditors determine whether controls are being consistently performed and properly documented”. A good example is an auditor will be able to inspect visitor logs and see whether all visitors are documented and their visit intention well indicated.
Re-performance
According to DeCesare (2019), re-performance is whereby the auditor manually executes the control under review. An example is an auditor accessing the data center using multi-factor authentication to prove that the data center is secure or not.
Computer Assisted Audit Technique (CAAT)
According to DeCesare (2019), the CAAT “method of testing is often used to analyze large volumes of data, but it can also be used to analyze every transaction, rather than just a sample of all performed transactions”. An auditor can use this method to analyze all payment transactions.
Sampling methodologies
The sampling methodologies that the auditor will use are simple random sampling, haphazard sampling, and block sampling.
Simple random sampling
According to Hemmer (2018), simple random sampling is whereby “every unit has the same probability of being selected”. We will use a random generation number to select employees to ascertain whether they have badges and whether those badges can access the office premises.
Haphazard sampling
According to Hemmer (2018), haphazard sampling is whereby “selections are made from the population without any bias”. For example, we will inspect a couple of hand-held fire extinguisher devices without any bias.
Block sampling
According to Hemmer (2018) block sampling “represents contiguous population items”. For example, we will use block sampling to select twenty employees from the payroll to evaluate their password length, strength, history, etc.
Preliminary FindingsUse the table below to organize your analysis of the audit evidence.
Note: Add additional rows as needed. The first row has been filled out for you as an example.
| Control Objective | Control | Explanation of Findings |
| Example: Control Objective 7: Controls provide reasonable assurance that transmitted payment data is complete, accurate, and timely. | An electronic scheduler is monitored by IT staff for inbound and outbound transmissions on a daily basis. | A random sample of 51 days from transmission log found no evidence of monitoring on 3 days: April 1, 2018; July 4, 2018; and September 22, 2018. |
| Example: Control Objective 1: Controls provide reasonable assurance that physical access to computer resources within Gail Industries’ data is restricted to authorized and appropriate personnel. | All visitors must sign a logbook upon entering the data center with a picture ID presented to their escort. | While an inspection of evidence of visitor logs we can see that on one occasion a visitor didn’t leave their document upon entering the premises on 12th March 2019 and another occasion, a visitor gave their business card on 13th Nov 2019 instead of national Id and/or driver’s license. |
| Example: Control Objective 2: Controls provide reasonable assurance that physical access to assets within Gail Industries’ facilities is restricted to authorized and appropriate personnel. | Upon termination (voluntary or involuntary), SCOPE IT personnel revoke the badge access privileges as a task in the termination process. In addition, the IT manager performs a monthly review of badge access privileges to ensure that terminated employees do not retain badge access. | We found that upon the termination of an employee, his/her badge can still access the facility for a duration of time until the IT manager reviews the badge access privileges which is done on monthly basis. |
| Example: Control Objective 3: Controls provide reasonable assurance that environmental safeguards protect physical assets and the data that resides on those assets. | The office facility is protected by audible and visual alarms, fire and smoke detectors, a sprinkler system, and hand-held fire extinguishers. | Five offices did not have hand-held fire extinguishers. Gail Industries didn’t provide any proof that employees are being educated on safety measures and how to use the hand-held fire extinguisher. |
| Example: Control Objective 5: Controls provide reasonable assurance that administrative access to network infrastructure and operating system resources is restricted to authorized and appropriate users to support user entities’ internal control over financial reporting. | invalid password account lockout threshold | The system has 12 invalid login attempts before it locks you out. |
| Example: Control Objective 6: Controls provide reasonable assurance that payments received are processed accurately and timely, and processing exceptions are resolved. | When mail is delivered by the courier, both the courier and the mailroom supervisor initial the mail receipt log to verify the envelope count received. | A random sample of 60 days of mail receipt log found no evidence of signing of the mail receipt log by both the courier and mailroom supervisor for verification of envelope count received on 2 days: April 10th, 2018, and May 5th, 2018 |
We will communicate to leadership using an executive summary that summarizes our findings (Guiamo, 2019). The executive summary will also show the scope and objectives of the audit. The scope of the audit is looking at the controls in the following areas and analyzing whether they are being implemented as required: physical security (datacenter), physical security (facilities), environmental safeguards, change management, logical security, payment processing, data transmission, and deposits. The findings only indicate when the controls are not being implemented.
References
DeCesare, J. (2019). The five types of testing methods used during audit procedures. Retrieved from https://www.ispartnersllc.com/blog/five-types-testing-methods-used-audits/
Guijamo, R. (2019). Communicating internal audit findings: best practices for success. Retrieved from https://doeren.com/communicating-internal-audit-findings-best-practices-for-success/
Hemmer, N. (2018). Audit sampling in SOC examinations. Retrieved from https://linfordco.com/blog/audit-sampling/
