1

IS AUDIT PROCESS M I N I M A L I S T P R E S E N TAT I O N

POH HUI LING 253718

CHAN MEI LING 256645
THINESWARI A/P THIRU KUMARAN 250678
NOR ASHIKIN BINTI ABDULLAH 250813
 2

INTRODUCTION

IS Audit is defined as:

• Collect and evaluate evidence to determine whether the information
systems and related resources adequately safeguard assets,
• maintain data and system integrity,
• provide relevant and reliable information,
• achieve organizational goals effectively, and
• consume resources efficiently.
 3

INTRODUCTION

An IS Audit is intended to:

• assesses whether internal controls provide reasonable assurance
that business, operational and control objectives will be met, and
• that undesired events will be prevented, or detected and
corrected, in a timely manner.
 4

IS AUDIT PROCESS
OVERVIEW
 5

2 . 1 E S TA B L I S H I N G & A P P R O V I N G
AN AUDIT CHARTER
• The first audit objective is to establish an audit charter, which
gives you the authority to perform an audit. The audit charter is
issued by executive management or the board of directors.
• The audit charter should clearly state management’s assertion
of responsibility, their objectives, and delegation of authority.

Authority

Responsibility Accountability

Audit
Charte
r
• Internal Control • Fieldwork
Questionnaire • Evaluation
• Audit Scope • Testing
• Objective

Planning Assessment

Follow-Up Reporting

• Confirmation of • Communication
Planned Actions • Audit Findings
• Audit Response
Verification
• Assessment
Result
• First step in IT audit
• Short-Term Goal
- that will be covered during the year.

• Long-Term Goal
- regarding changes to the organization’s IT strategic direction.
• Objective : To obtain sufficient information about the firm to plan
following phases of the audit.
 Planning Considerations
• Risk assessment
• Regulatory requirements
• System implementation
• Current and Future
technologies
• IS resources limitations
Information Gathering
• An understanding of the business
environment
• Business practices and functions relating to
the audit
• Type of IS and IT supporting the business
• Listing of regulatory requirements in which
the business operates
• Review background information
• Review long-term plans
• Interview key managers
• Touring the organization’s facilities
• Audit Risk RISK MANAGEMENT
• Detection Risk
• Inherent Risk 1. Developing a risk-management team
2. Identify Assets
• Control Risk 3. Identify Threats
• Business Risk 4. Perform Risk Analysis
• Continuity Risk 5. Perform Risk Mitigation
• Material Risk 6. Monitoring

• Security Risk
 2.4 Identifying the audit
evidence

Audit Evidence

Objective

Evidence Reliability

Obtaining Evidence
 Audit Evidence
Evidence is any information used by the IS auditor to determine whether
the entity or data being audited follows the established audit criteria.

It is a requirement that the auditor’s conclusions must be based on

sufficient, relevant and competent evidence.

When planning the IS audit work, the IS auditor should take into the
account the type of audit evidence to be gathered to meet the audit
objectives and its varying levels of reliability.

While all evidence will assist the IS auditor in developing audit

conclusions, some evidence must be taken into account, as required by
the audit standard.
Evidence that the auditor obtains should be and should achieve audit
objective effectively.
SURRE rule:

Sufficient Reliable Effective

The main objective of the work performed by the auditor in an audit engagement is that of
obtaining reasonable assurance as to whether the financial statements, as a whole, are free
from material misstatement, so that the auditor is able to express an opinion on the financial
statements and report accordingly in the auditor’s report

Usable Relevant
 Is the provider of the evidence
Independent? Is the evidence provider qualified?

The reliability of audit evidence is increased when it is

obtained from independent sources outside the entity

Evidence Reliability
Audit evidence provided by original documents is Audit evidence in documentary form, whether paper,
more reliable than audit evidence provided by electronic, or other medium, is more reliable than
photocopies evidence obtained orally.

How objective is the evidence? When is evidence available?

Audit procedures to obtain sufficient
appropriate audit evidence
Inspection
Inspection of documents
and records provides External Re-performance
varying degrees of Confirmation may be performed
reliability, depending on Confirmation is a written manually or through the
the nature and source of request addressed to use of computer-assisted
the documents. third parties. audit techniques (CAATs).

Observation
Procedure that consists of
looking at a process or
procedure being performed by
others so that evidence about
the actual performance is
obtained.
Re-calculation
Computation or
recalculation provides a
high level of assurance
regarding arithmetical
accuracy.
Analytical procedures
Analytical procedures are
used throughout the audit
process and are
conducted for the primary
and secondary purposes

most basic ways to gather evidence during an audit. Simply

looking around is a very powerful way to understand how an
organization works
 2.6 Reporting audit
finding
An audit report is the formal opinion of audit findings.

The audit report is the end result of an audit and can be used by the recipient
person or organization as a tool for financial reporting, investing, altering
operations, enforcing accountability, or making decisions.

An effective audit report is essential to making sure the results of your audit are
presented in a way that is useful to the party receiving the audit.

Evaluate audit strength and weakness to develop the audit opinions and
recommendations.

It require IS auditor to make judgment that are often gain from experience.
 In general, an audit report an introduction, a section which describes the
scope of the audit and the auditor’s opinion,
has three sections: which describes the audit findings.

Introduction Scope section

States the auditor’s responsibilities and your Describes the auditing process.
business’s responsibilities regarding the audit.
It states the areas that were audited, who
It would typically also include the names of the completed the audit and when and what
auditor or auditors and the dates of the audit. criteria were used to perform the audit.
Describes exactly what the auditor did.
Auditor’s opinion The auditor would include what financial
This is where the auditor states what they found statements she reviewed and what tests
and whether it conforms to the criteria of the they performed.
audit.
Depending on the type of audit, the auditor may
also include recommendations for improving or
solving issues that were found during the audit.
 Type of Audit Findings
Unqualified opinion
Adverse opinion
It means that the
auditor was able to
It indicates that the
complete the audit
auditor found a
and it was in
misrepresentation or Disclaimer opinion
compliance with the
misstatement in the
criteria of the audit.
area being audited. The auditor was unable
Qualified opinion
to complete the audit.
There was an issue with This may be because
the audit. the financial statements
The auditor may not weren’t available or
have been given access that the auditor wasn’t
to all the information given full access to the
and documents he needed information.
needed.
 IS AUDIT PROCESS
(last stages)
Conducting Follow-Up Activities
1) Definition

2) The purpose of follow-up

3) Responsibility for follow-up activities

4) objectives

5) When no need to perform follow-up activities

6) Who perform follow-up activities

7) Timing and scheduling for follow-up activities

8) Form follow-up responses

 1) Definition
A process by which internal auditors evaluate the adequacy,
effectiveness, and timeliness of actions taken by management on
reported observations and recommendations, including those made by
external auditors and others.

2) Purpose
helps to prevent this becoming an issue:
• how outstanding recommendations/management actions will be tracked
• how resolution will be reported and validated
• what follow up action might be needed
• how this will be carried out in order to provide assurance that identified risks are being
appropriately addressed.

3) Responsibility for follow-up activities

1. conducted by internal auditor

2. Depends on management

3. Verified the risk management process

 4) Objectives
1. Monitor the audit result
2. Ensure that action plan have been implemented

5) When no need to perform follow-up activities

1. audit program manager believes the audit process ends with the audit
report
2. agreed upon criteria are fulfilled or met
3. the audit purpose or objectives can vary greatly depending on the context
of the organization

6) Who perform follow-up activities

Internal Audit Division (IAD) : Internal Auditor

7) Timing and Scheduling of Follow-up Activities

1) Integral part

2) Takes time and cost

3) degree of risk and exposure involved

8) Form of Follow-up Responses

1) written
2) oral
conclusion