Information System Audit

Chapter 7: IS Audit Process

7.1. Introduction
The scope of an information systems audit includes verifying the existence and performance of
controls. The selection of the controls to test remains a critical decision for the information systems
auditor and will have a major role in determining the quality of the audit. In order to ensure
adequate coverage of testing, the auditor is required to prioritize testing of controls. Prioritization
essentially depends on the corresponding loss exposure to the auditee in the event of the failure of a
specific control. The likelihood of a control failing, and even being activated, is uncertain.

7.1.2. Scope of IS Audit

The scope of information system auditing should encompass the examination and evaluation of the
adequacy and effectiveness of the system of internal control and the quality of performance by the
information system. Information System Audit will examine and evaluate the planning, organizing,
and directing processes to determine whether reasonable assurance exists that objectives and goals
will be achieved. Such evaluations, in the aggregate, provide information to appraise the overall
system of internal control.

7.1.3. Types of Audit Engagements

1) Review: A review is designed to provide limited assurance about an assertion. As the name
implies, a review consists primarily of review work with less emphasis on testing or
verification. A review can be more process oriented, focusing on the appropriateness of the
tasks and activities that the audit entity performs and the associated controls.
 The level of evidence that is gathered is less than in an audit, and testing is generally limited
or none is performed.
 As a result, reviews do not include audit opinions. Instead, conclusions may often be stated
negatively.
2) Examination: An information system audit can be performed as an examination, which is a
systematic process by which a competent, independent person objectively obtains and evaluates
evidence regarding assertions about an entity or event, processes, operations or internal
controls, for the purpose of forming an opinion and providing a report on the degree to which
the assertions conform to an identified set of standards.

An examination is an attestation process that provides the highest level of assurance about an
assertion that an auditor can provide. An examination encompasses gathering and evaluating
sufficient, competent evidence and performing appropriate tests and other procedures to form
the opinion about an assertion for presentation in an audit report. An examination requires a
higher threshold for audit evidence than a review. The audit tests, for example, can focus on a
comparison of the auditee’s stated and actual practices to established standards or relevant
control practices.
3) Agreed-upon Procedures Engagement: In agreed-upon procedures engagements, a third party
and the auditor agree on specific procedures that will be performed to obtain the evidence on
which the third party is willing to rely as a basis for a conclusion. Depending on the
requirements of the third party, the agreed-upon level of evidence may be significantly limited

Chapter 7: IS Audit Process Page 1

 or extensive. The auditor may need to obtain a substantial amount of evidence; in some cases,
more than that is required for an audit.

7.1.4. Information Systems Audit Program

Audit programs are necessary to perform an effective and efficient audit. Audit programs are
essentially checklists of the various tests that auditors must perform within the scope of their audits
to determine whether key controls intended to mitigate significant risks are functioning as designed.
Based on the results of the tests performed, the auditor should be able to determine the adequacy of
the controls over a particular process.

Advantages:
1) Audit programs can also assist audit management in resource planning.
2) Help promote consistency in tests performed on audits of the same process from one cycle to
the next.
3) Audit programs can also promote consistency in tests performed on controls that are common to
all processes.

7.2. IS Audits Areas of Focus for an Auditor

Auditors involved in reviewing an information system should focus their concerns on the system’s
control aspects. They must look at the total systems environment not just the computerized
segment. This requires their involvement from the time that a transaction is initiated until it is
posted to the organization’s general ledger. Specifically, auditors must ensure that provisions are
made for:
1) An adequate audit trail so that transactions can be traced forward and backward through the
system.
2) Controls over the accounting for all data
3) Handling exceptions to and rejections from the computer system.
4) Testing to determine whether the systems perform as stated.
5) Control over changes to the computer system to determine whether the proper authorization
has been given.
6) Authorization procedures for system overrides.
7) Determining whether organization and Government policies and procedures are adhered to
in system implementation.
8) Training user personnel in the operation of the system.
9) Developing detailed evaluation criteria so that it is possible to determine whether the
implemented system has met predetermined specifications.
10) Adequate controls between interconnected computer systems.
11) Adequate security procedures to protect the user’s data.
12) Backup and recovery procedures for the operation of the system.
13) Technology provided by different vendors
14) Databases are adequately designed and controlled to ensure that common definitions of data
are used throughout the organization, that redundancy is eliminated or controlled and that
data existing in multiple databases is updated concurrently.

7.3. Elements of IS Audit

Chapter 7: IS Audit Process Page 2
An information system is not just a computer. Today's information systems are complex and have
many components that piece together to make a business solution. Assurances about an information
system can be obtained only if all the components are evaluated and secured. The proverbial
weakest link is the total strength of the chain. The major elements of IS audit can be broadly
classified:
1) Physical and environmental review - This includes physical security, power supply, air
conditioning, humidity control and other environmental factors.
2) System administration review -This includes security review of the operating systems,
database management systems, all system administration procedures and compliance.
3) Application software review -The business application could be payroll, invoicing, a web-
based customer order processing system or an enterprise resource planning system that actually
runs the business. Review of such application software includes access control and
authorizations, validations, error and exception handling, business process flows within the
application software and complementary manual controls and procedures. Additionally, a
review of the system development lifecycle should be completed.
4) Network security review - Review of internal and external connections to the system,
perimeter security, firewall review, router access control lists, port scanning and intrusion
detection are some typical areas of coverage.
5) Business continuity review - This includes existence and maintenance of fault tolerant and
redundant hardware, backup procedures and storage, and documented and tested disaster
recovery/business continuity plan.
6) Data integrity review - The purpose of this is scrutiny of live data to verify adequacy of
controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive
testing can be done using generalized audit software (e.g., computer assisted audit techniques).

7.4. Phases of the Audit Process

Successfully implementing IS/IT audit processes depends to a large extent on organizational
commitments and the existence of a structural foundation supporting audit activities. The
information system (IS) controls audit involves the following three phases:
1) Planning: The auditor determines an effective and efficient way to obtain the evidential matter
necessary to achieve the objectives of the IS controls audit and the audit report.
2) Testing: The auditor tests the effectiveness of IS controls that are relevant to the audit
objectives.
3) Reporting: On completing the audit process, the auditor prepares a comprehensive audit report
giving details of all the phases of review and testing conducted. The audit report also consists of
the recommendations of the auditor for improvement in control systems.

7.5. Audit Process Stages/ Steps

A systems based audit comprises the following stages:
1) Preparing for & planning the audit assignment
2) Ascertaining and recording the system
3) Identifying system objectives
4) Identifying risks and evaluation controls against risks
5) Testing controls
6) Arriving at conclusions

Chapter 7: IS Audit Process Page 3

 7) Audit report writing

7.6.Preparing for & Planning the Audit Assignment

The preparing for & planning the audit assignment consists of the following phases;
a) Preliminary review phase:.
b) Kick of Meeting
c) Audit Plan
The planning phase consists of five key steps.
1) Determine audit subject.
2) Define audit objective.
3) Set audit scope.
4) Perform pre-audit planning.
5) Determine audit procedures and steps for data gathering.

7.6.1. Preliminary survey:

The main objective of this step is to obtain the information necessary for the auditor to make a
decision on how to proceed with the audit. This stage includes a review of the management and
application controls existing in the company. It is undertaken in order to get an overview of the area
to be audited. This preliminary survey should provide the basis for planning the audit, and for
determining:
1) The objectives of the audit;
2) The scope of the audit and any specific areas that are to be given emphasis because they are
high risk, are of critical importance to the system and/or suffer from weaknesses which are
already known;
3) Target dates for completion of each stage of the audit work;
4) Which auditors are to be employed on the audit and who is responsible for supervising the
audit team and ensuring the quality of the audit work.

The preliminary survey will also establish the boundaries of the systems under review and identify
any interfaces with other systems and any other audits which are planned. This provides the basis
for drafting the Audit plan. The preliminary survey should involve:
1) Review of the permanent audit file and previous audit reports, including reports from the
State Audit Office;
2) Review of the strategic and operational plans of the area to be audited;
3) Current organization charts;
4) Review of budget and management information;
5) Initial discussions with management of the organizational units to establish their objectives
in the area to be audited;
6) Review of relevant legislation, regulations, instructions etc.

At this stage it is also useful to identify the goals and objectives of the area(s) under review and the
key risks relating to those goals and objectives. The review of previous audit reports is an important
part of the preliminary survey. The reports provide an insight into the level of control at the time of
the last audit, and an opportunity to establish whether or not agreed recommendations have been
implemented by management.

Chapter 7: IS Audit Process Page 4

7.6.2. Kick-off meeting:
Prior to the Kick-off meeting the internal auditors and external experts are required to have a
Letter of Authorization, signed by of the Head of the Internal Audit unit, whereas the appointment
of the Head of the Internal Audit unit, signed by the person in charge of the institution, prior to the
performance of any of the audits within the Annual Plan.
The Letter of Authorization shall specify:
- Systems and procedures subject to the audit;
- Objectives of the audit set out in the Annual Internal Audit Plan;
- Audit team and Team Leader; and
- Time-frame and deadline for submission of Final Internal Audit Report.

The formal start of the audit is the Kick-off meeting which should be held between the Head of the
department to be audited and the Chief Internal Auditor accompanied by the Team Leader/Auditor
carrying out the work. This meeting is intended to:
1) Introduce the audit team to the management of the department to be audited;
2) Outline the objective of the audit and give a brief overview of the methodology to be used –
if this is the first audit of the department it will be necessary to give a more detailed
explanation of the approach;
3) Ask management to suggest particular areas which they think should be examined;
4) Discuss areas which internal auditors consider on the focus of the audit;
5) Explain that internal audit will keep them informed of the progress of the audit, and that
management’s assistance will be welcomed throughout the audit.
6) Request additional information about the business process under audit and agree on the list
of documents required from the auditee;
7) Distribute a copy of the Internal Audit Charter to all present on the Kick-off meeting

7.6.3. Audit Plan:

After the preliminary survey and the kick-off meeting, an Audit Plan should be prepared. An Audit
plan is the specific guideline to be followed when conducting an audit. it helps the auditor obtain
sufficient appropriate evidence for the circumstances, helps keep audit costs at a reasonable level,
and helps avoid misunderstandings with the client.

7.6.4. Techniques Used for Information Systems Planning

Various techniques used by the auditors include audit area selection, simulation and modeling,
scoring, and competency center.
1) Audit area selection: This technique is applicable in multi-locational complex computer
systems. It helps the auditor to identify the areas where the audit would require the maximum
attention. This helps to optimize the use of limited resources effectively in potential problem
areas.
2) Simulation and modeling: This audit procedure is used to monitor selected transactions on a
continuous basis. A comparison is made between the expected results and the actual results
from the process. Expected results are derived by simulation of the process. Differences
between the expected and actual results help to identify areas where deviations have taken
place. This technique also identifies problem areas that require the auditor’s attention.

Chapter 7: IS Audit Process Page 5

3) Scoring: In this technique, the characteristics of a computer application system are identified
and quantified. A score is awarded for each of the characteristics and a weighted score is
derived. A total of the individual weighted scores gives us the score of the system.
4) Competency center: In a computerized system spread over many locations, an alternative
technique is the centralized audit approach. The audit is conducted from a centralized location
using auditing software and other processes. Other locations are visited on a selective basis to
evaluate controls that require physical verification. Multisite audit software is used while
adopting this technique. Effective use of this technique requires the computer system at
different sites to be same or almost identical, for example, the software used in banks.

7.7. Ascertaining and Recording the System

This involves
1) Describing the system
2) Undertaking a Walk through testing

7.7.1. Purpose for describing the system

The main reasons for describing the system are:
1) To confirm the auditor’s understanding of the system formulating clear process / system
objectives;
2) To establish any interfaces between systems;
3) To establish how the system fits within the Organization;
4) To provide a basis for assessing the extent to which internal controls prevent or detect and
correct errors.
The description of the system forms the basis for the auditor’s judgment, conclusions and
recommendations. It also should provide basis for the evaluation of the strengths and weaknesses in
internal control. The auditor should decide which technique or combination of techniques for
recording systems (text and/or flowchart) is most appropriate, taking into account the nature and
complexity of the system, the audit objectives and any audit work done earlier. Sources of
information can include:
1) Files and papers from earlier audits;
2) Organizational and procedural rulebooks, manuals, guidelines and other acts used in the
organization;
3) Interviews and informal discussions with managers and staff
4) Observation of the physical environment and the working methods used. It is particularly
useful where no physical evidence that something has happened remains after the event.
Remember that the presence of the auditor may influence the behaviour of staff and the
practices observed may not, therefore, be typical. It may also be difficult to substantiate the
evidence.
5) Documents and records used in the system;
6) Reports prepared by any Control and Inspection Units;
7) Any other reports relating to the area under audit;
8) Management information.

Chapter 7: IS Audit Process Page 6

Steps Required in Documenting Systems
1. Establish an outline of the system to enable you to decide on whether to use narrative or
flowcharting to document the system, and also to decide which of the main sub-systems it will
be appropriate to describe separately;
2. Obtain a detailed description of the systems and internal control features from discussions with
departmental personnel. This should include a record of:
a. Which processes and procedures are carried out and by whom;
b. Any changes in procedures for different types or groups of transactions – eg those of
high value;
c. Measures taken to maintain the continuity of the working process (lunch hours,
holidays, vacations or peak flows of operations);
d. All documents used in the process;
e. All computer reports along with their purpose and the way they are used.
3. Record information on rough flowcharts or notes. If possible compare with acts describing
internal procedures.
4. Perform walk-through tests to ensure that the system actually does operate in the manner which
has been described.
5. Prepare documentation describing the system – narrative and/or flowchart.
6. Cross reference documents and reports of the system to the narrative and/or flowchart.

When documenting system, the internal auditor should remember that the volume of documentation
should be limited to what is needed to identify and record the internal controls.

7.7.2. Walk-through testing

In conducting ‘walk through’ tests, the auditor looks primarily for evidence of the existence of
controls. This may involve examining a small number of different transactions at each stage of the
process or following one transaction through from start to finish. The aim of this type of testing is
to make sure that the system works in the way it is described in the systems narrative or flowcharts
and to confirm the controls in place at each stage.
• If there is a difference, or any other information is identified which is inconsistent with the
flowchart, you should refer back to the original source of the information before doing any
more work. This is important because, if the system record has to be amended, the paths for
walk-through test also may have to be changed.
• When the difference is the result of an incidental breakdown in the system, you will normally
need only to record this fact on your working papers. This information will then be taken into
account in the evaluation of internal control.

7.8. Identifying System Objectives

The key to an effective system based audit is to identify the system objectives that determine the
control objectives against which controls in the system can be audited. A systems based audit is
concerned particularly with establishing the link between controls and objectives in order to gather
evidence to support the auditor’s professional opinion on the adequacy and effectiveness of internal
control in that system.

Chapter 7: IS Audit Process Page 7

By obtaining an understanding of what the objectives of the system are, it will help you to identify
what the control objectives should be. The control objectives need to be consistent with the
objectives of management in the organization, and should be discussed and agreed with
management before you start any evaluation of controls. In order to ensure that security of
information systems is preserved, the entity needs to ensure that usage of information systems
assets and related processes, whether computerized or manual, is governed by an internal control
system.

7.8.1. Establishing Control Objectives

This involves:
1. identifying the main activities;
2. determining the objectives of those activities or processes, and
3. developing the control objectives which will help ensure the achievement of the objectives of
the main activities or processes.

7.8.2. System Effectiveness and Efficiency

During the course of information systems audit, an auditor is often required to comment on the
effectiveness and efficiency of a system. An information systems auditor is required to know the
difference between the two, which is described below.
 Effectiveness evaluation determines whether the system is achieving its objectives and whether
the system should be continued, modified, upgraded, or scrapped. Effectiveness analysis may
be done at the design stage to ensure that user needs are being fulfilled and the system is
achieving its implementation objectives.
 Efficiency of a system is reflected by usage of the minimum amount of resources to achieve its
objectives. The resources may be of different kinds, including machine time, peripherals,
system software, application software, and human resources.

7.9. Identifying Risks & Evaluating Controls against Risks

Risk is the likelihood that the entity would face a vulnerability being exploited or a threat becoming
harmful. Vulnerability is the inherent weaknesses of a system or process that can be exploited by a
threat. Threats stand for uncertain events that can cause loss to the entity. The threats exploit the
gap between the level of protection necessary and the degree of protection achieved.

The information systems auditor keeps the risk strategy in mind while conducting the information
systems audit. People, processes, systems, and external events are all potential hazards to
operations in an entity. Inadequacy or failure of any one of them can result in events that may cause
loss. The loss may not always be described in monetary terms but may involve intangibles such as
loss of reputation.

Risk factors inherent in business operations include the following nine examples:
1) Access risk, referring to the risk of an unauthorized user securing access to information assets.
2) Business disruption risk, or the risk of non-availability of services from information systems
resources.
3) Credit risk, such as the failure of a counterparty honoring their payment obligation.
4) Customer service risk, referring to the risk of customers being deprived of services.
Chapter 7: IS Audit Process Page 8
5) Data integrity risk, or the risk of a possible compromise of data integrity that may arise for
various reasons, including unauthorized access.
6) Financial/external report misstatement risk, referring to the risk that reports prepared by the
entity contain misstatements and errors.
7) Fraud risk, referring to the risk of losses arising out of fraud committed using information
systems resources.
8) Legal and regulatory risk, referring to risk of noncompliance to legal and regulatory
requirements and consequences thereof.
9) Physical harm risk, referring to the risk of suffering from bodily harm.

7.9.1. Identifying Risks

Risks should be identified and recorded for each control objective. This will make it easier to
decide the type of testing and how much testing needs to be done. The risk endangers the
achievement of the objectives defined for the process. During the execution of the processes many
errors may emerge. These may be unintentional errors (misunderstandings, confusions, lack of
competence etc.) but also intentional errors (varying from deliberate wrong application of rules to
abuse like forgery and misappropriation usage of means). Such risk can be identified on the basis of
the information collected at an earlier stage. The auditor shall estimate the risk at the planning stage
and during the audit itself.

7.9.2. Identification of key controls

The next stage of a Systems Based Audit is to identify and evaluate controls which exist to lessen
the risk of failing to achieve a particular control objective. Controls are actions and procedures
established by the auditee to ensure that the objectives of a system are met. Even if objectives are
met without controls, reliance cannot be placed on any system which functions without adequate
controls.

The key elements of this are:

• deciding on the risks relating to each control objective
• identifying the actual controls which exist in the system
• evaluating the effectiveness of those controls.

7.9.3. Evaluation of controls

Evaluating controls involves two stages:
1. evaluating the system design to establish the adequacy of control,
The auditor must consider whether the control objectives will be achieved by the identified
controls. This requires the use of audit judgement. This preliminary evaluation of the adequacy
of the existing controls involves:
a) starting at the higher level controls (e.g. planning and risk management) and working down
to lower level controls over individual transactions
b) considering the probability that something will go wrong and the significance (materiality)
to the organization if it does go wrong
c) looking for compensating controls which may enable the control objective to be met
d) looking for unnecessary controls, or ones which cost too much to apply.

Chapter 7: IS Audit Process Page 9

2. evaluating the operation of the system to establish the effectiveness of control
This involves testing to ensure that the controls which have been identified have been operated
as intended and that they are achieving the control objective.

The IS auditor must understand the procedures for testing and evaluating information systems
controls. These procedures could include:
1) The use of generalized audit software to survey the contents of data files (including system
logs)
2) The use of specialized software to assess the contents of operating system parameter files
(or detect deficiencies in system parameter settings)
3) Flow-charting techniques for documenting automated applications and business process
4) The use of audit reports available in operation systems
5) Documentation review
6) Observation

7.10. Testing Controls

Audit testing is a supplement to management’s own testing, and is an essential part of the
independent appraisal of internal control carried out by internal audit. This testing:
1) confirms that management has been carrying out checking and testing, and
2) detects violations which management may not have identified.

Audit testing can be a very substantial part of the audit process, sometimes taking up to half the
time available for the audit. This means it is important to ensure:
 audit tests are carefully planned
 there is adequate evidence of the testing which has been done
 conclusions can be fully supported by the testing done.

Types of Testing
There are two main types of testing: test of controls or compliance test and substantive testing.
1. Compliance testing: Compliance tests aim at collecting evidence whether the control
procedures are correctly implemented and are reliable. The objective is to determine whether or
not the system of internal controls operates as it is supposed to operate. Compliance tests are
performed to guarantee the effectiveness of the functioning of internal control measures
throughout the control period. The purpose of compliance tests (i.e. testing the control
mechanisms and procedures) is to confirm that the existing control procedures are correctly
applied and are reliable.

The main purpose of compliance tests is not to identify errors, deviations or potential fraud, but
to identify the control procedures, which are not performed correctly. The reasons for the
omissions and deviations are more important to the auditors than the omissions and deviations
themselves. The number of compliance tests carried out depends on two factors:
a. the size of the information flow related to the respective process;
b. the nature of the control measures.
2. Substantive Tests: Substantive testing is done where it has been determined, through
compliance testing that internal controls are weak or inadequate and involves obtaining
Chapter 7: IS Audit Process Page 10
 sufficient evidence to enable the auditor make a final judgment on whether or not material
losses have occurred during computer data processing. The purpose of this is two-fold:
 to determine if any significant losses have occurred, and
 to contribute towards internal audit’s assessment of the organization’s overall control
environment.

The following are the five types of substantive tests that can be used within a data processing
installation:
a) Tests to identify erroneous processing
b) Tests to assess the quality of data
c) Tests to identify inconsistent data
d) Tests to compare data with physical counts
e) Confirmation of data with outside sources

The results of this work will either:

 provide assurance to management that there has not been any significant losses, to the
organisation as a result of a weak control environment, or
 provide evidence to management that the weak control environment has lead to significant
losses, and thus prompt management to take appropriate action

7.11. Audit Report

The exact format of an audit report vary by organization. However, the skilled IS auditor should
understand the basic components of an audit report and how it communicates audit findings to
management. The IS auditor should become familiar with the ISACA S7 Reporting and S8 Follow-
up Activities standards.

There is no specific format for an IS audit report, yet the organization’s audit policies and
procedures will dictate the format generally. Audit reports, however, usually will have the
following structure and content:
1. An introduction to the report, including a statement of audit objectives and scope, the period of
audit coverage, and a general statement on the nature and extent of audit procedures examined
during the audit
2. The IS auditor’s overall conclusion and opinion on the adequacy of controls and procedures
examined during the audit
3. The IS auditor’s reservations or qualifications with respect to the audit. This may state that
the controls or procedures examined were found to be adequate or inadequate. The balance of
the audit report should support that conclusion and the overall evidence gathered during the
audit should provide an even greater level of support.
4. Detailed audit findings and recommendations and the decision to include or not include
findings in an audit report. These should be based on the materiality of the findings and the
intended recipient of the audit report. An audit report directed to the audit committee of the
board of directors, for example, may not include findings that are important to local
management but have little control significance to the overall organization. The decision of
what to include in various levels of audit reports depends upon the guidance provided by upper
management.
Chapter 7: IS Audit Process Page 11
5. A variety of findings, some of which may be quite material while others are minor in nature
6. Limitations to audit
7. Statement on the IS audit guidelines followed

The ISACA IS Auditing Guideline, Report Content and Form, specifies that the report should
include all significant audit findings. When a finding requires explanation, the IS auditor should
describe the finding, its cause and its risk. When appropriate, the IS auditor should provide the
explanation in a separate document and make reference to it in the report.

7.12. Control Self-Assessment (CSA)

Control Self-Assessment is a technique developed in 1987 that is used by a wide range of
organizations including corporations, charities and government departments, to assess the
effectiveness of their risk management and control processes. A control self-assessment (CSA) is
executed by the auditee. With a CSA, the auditor becomes a facilitator to help guide the client’s
effort toward self-improvement. The auditee uses the CSA to benchmark progress with the
intention of improving their score. A great deal of pride can be created by the accomplishment of
CSA tasks and learning the detail necessary to succeed in a traditional audit. Therefore, the CSA
process can generate benefits by empowering the staff to take ownership and accountability.

There are a number of ways a control self-assessment can be implemented but its key feature is
that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-
day responsibilities are within the business unit being assessed. Benefits claimed for control self-
assessment include creating a clear line of accountability for controls, reducing the risk of fraud and
the creation of an organization with a lower risk profile. Control self-assessment will not fulfill the
independence requirement, so a traditional audit is still required. CSAs can be used to identify areas
that are high risk and may need a more detailed review later.

7.12.1. Methodologies
Six basic methodologies for control self-assessment have been defined:
1) Internal Control Questionnaire (ICQ) self-audit
2) Customized questionnaires
3) Control guides
4) Interview techniques
5) Control model workshops
6) Interactive workshops

7.13. Ensuring Audit Quality Control

Quality does not happen automatically. It is a methodology that must be designed into your process
and not just inspected afterward. Quality control is necessary in every audit. Audit standards,
guidelines, and procedures are available to promote quality and consistency in a typical audit. An
audit process will need a variety of quality performance metrics to ensure success. The following
should be considered when designing a IS Audit quality control process;
1) Use an audit methodology in a documented plan, including the actual step-by-step audit test
procedures.
2) Practice the technical audit test procedures in advance.

Chapter 7: IS Audit Process Page 12

 3) Gain an understanding of the auditee needs and expectations.
4) Keep a checklist of the tasks to be accomplished.
5) Respect business cycles and deadlines in your schedule.
6) Hold client interviews and workshops to better understand their concerns and to gather
intelligence regarding the upcoming audit.
7) Monitor audit evidence selection and technical testing.
8) Use customer satisfaction surveys.
9) Agree to terms of reference used by client, auditee, and auditor, as discussed in Chapter 1.
10) Establish technical evidence testing metrics for each audit.
11) Measure the audit plan against actual performance.
12) Respond to auditee complaints.

7.14. System Development Audit

Three types of Audits of the systems development process:
1) Concurrent audit: an audit which is conducted on concurrent basis, means no specific time
period of audit is defined particularly. A systematic and timely examination on a regular basis
to ensure accuracy, compliance with procedure and guidelines.
2) Post implementation audit: Audit done to ensure that the original requirements have been
successfully implemented into production.
3) General audit

7.15. Effective IS Auditor

Characteristics of an Effective IS Auditor
Characteristic Explanation
Curiosity A good auditor is a polymath and lifelong learner. Consider all the areas of
expertise an information systems auditor is required to touch upon. This
individual will be expected to be familiar not only with Information
Systems but also SDLC processes, Accounting Principles, Legal and
Regulatory Matters, Human Resources management and more.
Flexibility The Information Systems auditor may be expected to show up at the office
of a CTO one day in suit and tie, and don a hardhat and steel toe boots on
the factory floor the next. Hours and location of work shifts from client to
client. A good consultant/auditor should never expect show up to the same
desk and office day after day.
Strategic Thinker A strong Information Systems auditor should be adaptive. Technology
changes quickly, legal and regulatory matters effect internal controls and
ever evolving economic conditions impact the operations of all competitive
organizations. A strong auditor recognizes these external forces and
considers them during internal risk assessment.
Observant Auditors must be keen on paying attention to details and identifying
patterns, whether that be observing the same hash repeatedly while
reviewing a dozen different router configuration files, or just being an
amazing proof reader of reports.
Personable/Agreeable A strong consultant/auditor should be effective at building relationships.
They should be flexible, strategic, and observant enough to read the
temperament of their client and adapt to them, in order to foster a
productive professional relationship.

Chapter 7: IS Audit Process Page 13