IT Audit Bootcamp

This Workshop will focus primarily on the key decisions related to planning the internal control approach in the context of an integrated audit performed in accordance with the standards of the PCAOB. Portions of this training will incorporate the ISA (International Standards on Auditing) as well. These topics generally apply to an integrated audit conducted in accordance with the standards of the PCAOB when we are using a control reliance strategy.

Training Logo

Identify planning considerations for an audit of internal control over financial reporting, including likely sources of misstatement and testing design effectiveness. Identify testing operating effectiveness and concluding on effectiveness of controls. Recognize how IT affects flows of transactions, identify relevant technology elements, assess risks arising from IT. Understand, identify and test relevant GITCs and evaluate deficiencies in GITCs and assess the impact of GITC deficiencies on the audit.

  • Duration
    40 hours
  • Batches
    Customizable as per your need
  • Suitable for
    professionals, students etc.
  • Course Details
    Download PDF
What you will learn
  • The law that establishes the requirements for management to assess the effectiveness of ICFR and to have an independent audit of its ICFR are set forth in Section 404 of the Sarbanes-Oxley. PCAOB AS 2201 establishes the requirements for an audit of ICFR. An integrated audit accomplishes the objectives of both an audit of ICFR and audit of financial statements.
  • The “measuring stick” for assessing effective ICFR is the framework selected by management (generally, COSO).
  • Identification of the risks of material misstatement includes the consideration of the risk of fraud.
  • PCAOB AS 2201.34 requires us to identify the controls implemented to address potential misstatements.
  • For relevant controls, we evaluate design effectiveness; and, we test the operating effectiveness of these controls
  • Use Higher or Not Higher classifications when concluding on the risk associated with the control. Document the conclusion and the basis for the classification of the risk associated with the control.
  • Plan the nature, timing and extent of tests of operating effectiveness based on the risk associated with the control.
  • Document nature of tests of operating effectiveness as inquiry, observation, inspection of documentation, and/or reperformance.
  • The understanding of IT (along with understanding of other areas of internal control) helps identify if we are placing reliance upon automated controls, system generated reports, data, & substantive procedures not enough, that is an input into the scoping process for GITCs.
  • General IT controls are the policies and procedures that serve to support the effective functioning of applications, including the effective operation of automated controls embedded in the applications, the integrity of reports generated from the applications, and the security of data housed within the applications. Areas of GITC are evaluated across technology layers.
  • We typically consider the following elements when testing IPE - Source Data, Report Logic, Report Parameters. Testing GITCs alone is not enough to address IPE.
  • When considering the design of a control, determine whether there is information used in the control (IUC). We must test controls over accuracy and completeness of IUC.
  • When using the work of others, consider whether such work is sufficient to meet our needs.
  • Align with the audit team on relevant automated controls and obtain a clear understanding to appropriately test the control
  • If IT monitoring/review controls are relevant to the audit, obtain a clear understanding through walkthroughs and determine if the control is designed appropriately including consideration of segregation of duties and completeness and accuracy of logs.
  • Segregation of duties divides functions and reduces chance that someone could commit and conceal fraud.
  • If the user auditor plans to use an SSAE18 SOC1 report as audit evidence, the auditor should evaluate the report period, the sufficiency of audit evidence, and assess the complementary user entity controls and identified deficiencies.
  • If a tool is used within an entity’s GITCs, perform relevant procedures over that tool
  • If your client experiences a cyber breach, consult!
  • Document the nature and cause of identified deviations. Evaluate whether identified deviations are control deficiencies. Recognize that it is rare for deviations to not result in a control deficiency. Use decision trees from the Internal Control Guide while evaluating deficiencies
  • There are key differences between an AICPA/ISA audit and a PCAOB audit.

Course Agenda


Planning considerations related to an audit of ICFR


Identify and understand entity-level controls


Identify the relevant flows of transactions (processes) and the relevant IT environments.


Internal control planning considerations in an integrated group audit


Understand likely sources of misstatement


Select Controls using a Top-Down Approach


Test and conclude on design effectiveness


Assess the risk associated with the control


Plan the nature, timing, and extent, and perform tests of operating effectiveness


Assess findings and conclude on the effectiveness of the control


Role of IT Specialists & Process Flow for General IT Controls


Understand How IT Affects the Flow of Transactions and Identify Relevant Technology Elements


Identify and Assess Risks Arising from IT


Identify and understand entity-level controls


Understand, Identify and Test Relevant General IT Controls


Conclude on Risks Arising from IT and Determine Audit Response & Evaluate Deficiencies in General IT Controls


Considerations for audits in accordance with AICPA/ISA standards


Documentation Considerations and Key Resources for General IT Controls Review and wrap up


Question and answer session


Why Choose us?

Over 200 classes are scheduled conveniently every year with small training groups and industry experienced faculties that provides:

  • One-Stop shop for IT Training
  • Companywide IT Training Solutions
  • Interactive Teaching Methodology
  • Job Oriented Training Solutions
  • Flexible modes of training
  • Recorded sessions are available
  • Live Project Experience

In a hurry? Let's chat!

Contact us on Whatsapp
Our Locations