ORGANIZATION OF IS AUDIT FUNCTION

The Process of Auditing

Information Systems

The role of the IS Internal audit function should

be established by an Audit Charter
If IS audit services are provided by external firm,
the scope and objectives of these services should be
documented in a formal contract and statement of
work between the contracting organization and
the service provider.

IS AUDIT RESOURCE
MANAGEMENT

AUDIT CHARTER

IS Audit services can be provided externally and

internally.

Audit charter (or engagement letter)

Stating managements responsibility and objectives for,
and delegation of authority to, the IS audit function
Outlining the overall authority, scope and
responsibilities of the audit function

Approval of the audit charter Senior

Management
Change in the audit charter If thoroughly
Justified
3

Limited number of IS auditors

Maintenance of their technical competence
( Skills & Knowledge)

Assignment of audit staff (Resources)

Framework & Methodology

4

AUDIT PLANNING

AUDIT PLANNING
Audit

planning

Audit Planning Steps

Short-term planning
Long-term planning
Things to consider

Gain an understanding of the businesss mission, objectives,

purpose and processes.
Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
Perform a risk analysis to help in designing the audit plan
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to audit
address engagement logistics.

1.
2.

New control issues

Changing technologies
Changing business processes
Enhanced evaluation techniques

Individual

3.
4.
5.

audit planning

6.

Understanding of overall environment

7.

Business practices and functions

Information systems and technology
5

EFFECT OF LAWS AND REGULATIONS

Steps an IS auditor could take to gain an

understanding of the business include:

Reading background material including publications,

annual reports and independent financial reports
Reviewing prior audit reports and IT related reports
(from external or internal reports or specific reviews
such as regulatory reviews)
Reviewing business and IT long-term strategic plans
Interviewing key managers to understand business
issues
Identifying specific regulations applicable to IT
Identifying IT functions or related activities that
have been outsourced
Touring key organization facilities

Each organization, regardless of its size or the

industry within which it operates, will need to
comply with a number of governmental and
external requirements related to computer
system practices and controls
Regulatory requirements concerning IS audit

Establishment of regulatory requirements

Organization of regulatory requirements
Responsibilities assigned to the corresponding
entities
Correlation to financial, operational and IT audit
functions

ISACA IS AUDITING
STANDARDS AND GUIDELINES

EFFECT OF LAWS AND REGULATIONS

Two major areas of conern:

Legal requirements (laws, regulations and contractual

agreements) placed on Audit or IS audit
Legal requirements placed on the auditee and its systems,
data management, reporting etc.

Steps to determine compliance with external

requirements:
Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function have
considered the relevant external requirements
Review internal IS department documents that address
adherence to applicable laws
Determine adherence to established procedures

IS Auditing Standards

1. Audit charter

7. Reporting

2. Independence

8. Follow-up activities

3. Ethics and Standards

9. Irregularities and illegal acts

4. Competence

10.IT governance

5. Planning

11.Use of risk assessment in

6. Performance of audit

audit planning

work
9

10

INTERNAL CONTROL

INTERNAL CONTROL

Components of Internal Control System

Internal Controls

Internal accounting controls

- Primarily directed at accounting operations, such as the
safeguarding of assets and the reliability of financial records

Policies, procedures, practices and organizational

structures implemented to reduce risks

Operational controls
- Directed at the day-to-day operations, functions and activities to
ensure that the operation is meeting the business objectives

11

Administrative controls
- Concerned with operational efficiency in a functional area and
adherence to management policies including operational controls.
These can be described as supporting the operational controls
specifically concerned with operating efficiency and adherence to
organizational policy.

12

INTERNAL CONTROL
INTERNAL CONTROL

Internal Control Objectives

Classification of Internal Controls

Safeguarding of information technology assets

Compliance to corporate policies or legal requirements
Authorization/input
Confidentiality
Accuracy and completeness of data / processing of transactions
Output
Reliability of process
Availability of IT services
Efficiency and economy of operations
13
Change Management process for IT and related systems

Preventive controls - These controls are to

deter problems before they arise. E.g: Control
access to physical facilities, Encryption s/w etc.

INTERNAL CONTROL

Detective controls - Controls that detect and

report the occurrence of an error, omission or
malicious act.
Corrective controls - These controls minimize
the impact of a threat, remedy problems
discovered by detective controls, identify the
cause of a problem.

14

INTERNAL CONTROL

IS Control Objectives (contd)

IS Control Objectives
Control objectives in an information systems
environment remain unchanged from those of a
manual environment. However, control features may
be different. The internal control objectives, thus
need, to be addressed in a manner specific to ISrelated processes

Safeguarding assets

Assuring the integrity of general operating system

environments

Assuring the integrity of sensitive and critical

application system environments through:

Authorization of the input

Accuracy and completeness of processing of transactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity availability and confidentiality
15

16

INTERNAL CONTROL

INTERNAL CONTROL

IS Control Objectives (Contd)

General Control Procedures

Ensuring the efficiency and effectiveness of operations

Complying with requirements, policies and procedures, and
applicable laws
Developing business continuity and disaster recovery plans
Developing an incident response plan
Implementing effective change management procedure

apply to all areas of an organization and include policies and

practices established by management to provide reasonable
assurance that specific objectives will be achieved.

17

INTERNAL CONTROL

General Control Procedures

18

Internal Control
(Contd)

Internal accounting controls directed at accounting

operations
Operational controls concerned with the day-to-day
operations
Administrative controls concerned with operational efficiency
and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents and
records
Procedures and features to ensure authorized access to
19
assets
Physical security policies for all data centers

IS Control Procedures: Each general control procedure can be

translated into an IS-specific control procedure. A well-designed
information system should have controls built in for all its sensitive or
critical functions.
Strategy and direction
General organization and management
Access to data and programs
Systems development methodologies and change control
Data processing operations
Systems programming and technical support functions
Data processing quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration

20

PERFORMING AN IS AUDIT

Classification of audits:
Financial audits
assess the correctness of an organizations financial
statements. A financial audit will often involve
detailed, substantive testing. This kind of audit
relates to information integrity and reliability.

Operational audits

evaluate the internal control structure in a given

process or area. IS audits of application controls or
logical security systems are examples of operational
audits.

Integrated audits

An integrated audit combines financial and

operational audit steps. It is also performed to assess
the overall objectives within an organization, related
to financial information and assets safeguarding,
efficiency and compliance.

Administrative audits
assess issues related to the efficiency of operational
productivity within an organization.

Information systems audits

Specialized audits

Within the category of IS audits, there are a

number of specialized reviews that examine areas
such as services performed by third parties and
forensic auditing.

Forensic audits

the forensic professional has been called upon to

participate in investigations related to corporate
fraud and cybercrime

21

PERFORMING AN IS AUDIT

PERFORMING AN IS AUDIT

Audit Programs

Audit work program is the audit strategy and planit

identifies scope, audit objectives and audit procedures to
obtain sufficient, relevant and reliable evidence to draw and
support audit conclusions and opinions.
Based on the scope and the objective of the particular
assignment
IS auditors perspectives

22

Security (confidentiality, integrity and availability)

General audit procedures

Quality (effectiveness, efficiency)

Fiduciary (compliance, reliability)
Service and Capacity

23

Understanding of the audit area/subject

Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing (often referred to as tests of controls)
Substantive testing (confirming the accuracy of information)
Reporting(communicating results)
Follow-up

24

PERFORMING AN IS
AUDIT

PERFORMING AN IS AUDIT

Procedures for testing & evaluating IS controls

Use of generalized audit software to survey the contents of data files

(including system logs)
Use of specialized software to assess the contents of operating system
parameter files
Flow-charting techniques for documenting automated applications and
business process
The use of audit logs/reports
Documentation Review
Inquiry and observation
Walkthroughs
Re-performance of controls

Audit Methodology

A set of documented audit procedures designed to achieve

planned audit objectives
Composed of
Statement of scope
Statement of audit objectives
Statement of work programs

Set up and approved by the audit management

Communicated to all audit staff

25

PERFORMING AN IS AUDIT
Typical audit phases
1. Audit subject
Identify the area to be audited

2. Audit objective
Identify the purpose of the audit

3. Audit scope
Identify the specific systems, function or unit of the
27
organization

26

PERFORMING AN IS AUDIT
Typical audit phases (Contd)
4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited

28

PERFORMING AN IS AUDIT

PERFORMING AN IS AUDIT
Typical audit phases (Contd)
6. Procedures for evaluating test/review result

Typical audit phases (Contd)

7. Procedures for communication

5. Audit procedures and steps for data gathering

Identify and select the audit approach

Identify a list of individuals to interview

Identify and obtain departmental policies, standards

and guidelines

Develop audit tools and methodology

8. Audit report preparation

Identify follow-up review procedures

Identify procedures to evaluate/test operational efficiency and
effectiveness
Identify procedures to test controls
Review and evaluate the soundness of documents, policies and
procedures.

29

30

PERFORMING AN IS
AUDIT

PERFORMING AN IS
AUDIT

Workpapers (WPs): Working Papers can be

considered the bridge or interface between the
audit objectives and final report.
Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents

Do not have to be on paper

Must be
Dated
Initialized
Page-numbered
Relevant
Complete
Clear
Properly labeled
Filed and kept in custody

What are documented in WPs?

Workpapers (Contd)

31

32

PERFORMING AN IS
AUDIT

PERFORMING AN IS AUDIT
Fraud

Detection

Managements responsibility (for establishing, implementing

and maintaining a framework and design of IT controls to
meet the internal control objectives. )
Benefits of a well-designed internal control system

Deterring frauds at the first instance

Detecting frauds in a timely manner

Fraud detection and disclosure

Auditors role in fraud prevention and detection : IS auditor

33
may, after careful evaluation, communicate the need for a
detailed investigation to appropriate authorities

AN

IS AUDIT

Risk-based Approach Overview

The risk that a material error exists that will

not be prevented or detected in a timely
manner by the internal controls system.

The risk that an IS auditor uses an

inadequate test procedure and concludes that
material errors do not exist when, in fact,
they do.

Overall audit risk

34

Detection risk

The risk that an error exists that could be

material or significant when combined with
other errors encountered during the audit,
assuming that there are no related
compensating controls.

Control risk

A risk-based audit approach is used to assess risk

and assist with an IS auditors decision to perform
either compliance or substantive testing.

PERFORMING AN IS
AUDIT

Audit Risks
Inherent risk

Audit risk is the risk that the information/financial

report may contain material error that may go
undetected during the audit.

PERFORMING

Audit Risk

35

Gather Information and Plan

Obtain Understanding of Internal Control
Perform Compliance Tests
Perform Substantive Tests
Conclude the Audit

36

RISK ASSESSMENT

PERFORMING AN IS
AUDIT

Risk assessments should identify, quantify and

prioritize risks against criteria for risk
acceptance and objectives relevant to the
organization.

Materiality
An auditing concept regarding the importance of an
item of information with regard to its impact or
effect on the functioning of the entity being audited

The concept of materiality requires sound judgment

from the IS auditor. The IS auditor may detect a
small error that could be considered significant at
an operational level, but may not be viewed as
significant to upper management.

37

It should include the systematic approach of

estimating the magnitude of risks (risk analysis)
and the process of comparing the estimated risks
against risk criteria to determine the significance
of the risks (risk evaluation).
Should also be performed periodically to address
changes in the environment, security
requirements and in the risk situation (eg. In the
assets, threats, vulnerabilities, impacts)

PERFORMING AN IS AUDIT

PERFORMING AN IS
AUDIT

Compliance vs. Substantive Testing

Audit Objectives

Substantive test

Correlation between the level of internal controls and

substantive testing required

tests the integrity of actual processing

Compliance with legal & regulatory requirements

Confidentiality

Integrity

Reliability

Availability

Compliance test
determines whether controls are in compliance with
management policies and procedures

Specific goals of the

audit

38

39

If the results of testing controls (compliance tests)

reveal the presence of adequate internal controls, then
the IS auditor is justified in minimizing the substantive
procedures.
40

10

PERFORMING AN IS
AUDIT

PERFORMING AN IS
AUDIT

Evidence
It is a requirement that the auditors
conclusions must be based on sufficient,
competent evidence.

Techniques for gathering evidence:

Independence of the provider of the evidence

Qualification of the individual providing the information or
evidence
Objectivity of the evidence
Timing of evidence

Review IS organization structures

Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance

41

PERFORMING AN IS
AUDIT

42

PERFORMING AN IS
AUDIT

Interviewing and Observing Personnel

Actual functions

Actual processes/procedures

Security awareness

Reporting relationships

43

Evaluation of Strengths and Weaknesses

Assess evidence

Evaluate overall control structure

Evaluate control procedures

Assess control strengths and weaknesses

44

11

PERFORMING AN IS AUDIT

PERFORMING AN IS AUDIT

Judging Materiality of Findings

Communicating Audit Results

Materiality is a key issue

Assessment requires judgment of the potential effect of
the finding if corrective action is not taken

Exit interview

Correct facts

Realistic recommendations

Implementation dates for agreed recommendations

Presentation techniques

Executive summary

Visual presentation

45

PERFORMING AN IS
AUDIT

PERFORMING AN IS AUDIT

46

Audit report structure and contents

An introduction to the report

The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed

47

Management Actions to Implement

Recommendations

Auditing is an ongoing process

Timing of follow-up

48

12

PERFORMING AN IS
AUDIT

Audit Documentation

Contents of audit documentation

Custody of audit documentation

Support of findings and conclusions

49

13