Professional Documents
Culture Documents
Chapter 7 IS Audit Process
Chapter 7 IS Audit Process
Chapter 7 IS Audit Process
An examination is an attestation process that provides the highest level of assurance about an
assertion that an auditor can provide. An examination encompasses gathering and evaluating
sufficient, competent evidence and performing appropriate tests and other procedures to form
the opinion about an assertion for presentation in an audit report. An examination requires a
higher threshold for audit evidence than a review. The audit tests, for example, can focus on a
comparison of the auditee’s stated and actual practices to established standards or relevant
control practices.
3) Agreed-upon Procedures Engagement: In agreed-upon procedures engagements, a third party
and the auditor agree on specific procedures that will be performed to obtain the evidence on
which the third party is willing to rely as a basis for a conclusion. Depending on the
requirements of the third party, the agreed-upon level of evidence may be significantly limited
Advantages:
1) Audit programs can also assist audit management in resource planning.
2) Help promote consistency in tests performed on audits of the same process from one cycle to
the next.
3) Audit programs can also promote consistency in tests performed on controls that are common to
all processes.
The preliminary survey will also establish the boundaries of the systems under review and identify
any interfaces with other systems and any other audits which are planned. This provides the basis
for drafting the Audit plan. The preliminary survey should involve:
1) Review of the permanent audit file and previous audit reports, including reports from the
State Audit Office;
2) Review of the strategic and operational plans of the area to be audited;
3) Current organization charts;
4) Review of budget and management information;
5) Initial discussions with management of the organizational units to establish their objectives
in the area to be audited;
6) Review of relevant legislation, regulations, instructions etc.
At this stage it is also useful to identify the goals and objectives of the area(s) under review and the
key risks relating to those goals and objectives. The review of previous audit reports is an important
part of the preliminary survey. The reports provide an insight into the level of control at the time of
the last audit, and an opportunity to establish whether or not agreed recommendations have been
implemented by management.
The formal start of the audit is the Kick-off meeting which should be held between the Head of the
department to be audited and the Chief Internal Auditor accompanied by the Team Leader/Auditor
carrying out the work. This meeting is intended to:
1) Introduce the audit team to the management of the department to be audited;
2) Outline the objective of the audit and give a brief overview of the methodology to be used –
if this is the first audit of the department it will be necessary to give a more detailed
explanation of the approach;
3) Ask management to suggest particular areas which they think should be examined;
4) Discuss areas which internal auditors consider on the focus of the audit;
5) Explain that internal audit will keep them informed of the progress of the audit, and that
management’s assistance will be welcomed throughout the audit.
6) Request additional information about the business process under audit and agree on the list
of documents required from the auditee;
7) Distribute a copy of the Internal Audit Charter to all present on the Kick-off meeting
When documenting system, the internal auditor should remember that the volume of documentation
should be limited to what is needed to identify and record the internal controls.
The information systems auditor keeps the risk strategy in mind while conducting the information
systems audit. People, processes, systems, and external events are all potential hazards to
operations in an entity. Inadequacy or failure of any one of them can result in events that may cause
loss. The loss may not always be described in monetary terms but may involve intangibles such as
loss of reputation.
Risk factors inherent in business operations include the following nine examples:
1) Access risk, referring to the risk of an unauthorized user securing access to information assets.
2) Business disruption risk, or the risk of non-availability of services from information systems
resources.
3) Credit risk, such as the failure of a counterparty honoring their payment obligation.
4) Customer service risk, referring to the risk of customers being deprived of services.
Chapter 7: IS Audit Process Page 8
5) Data integrity risk, or the risk of a possible compromise of data integrity that may arise for
various reasons, including unauthorized access.
6) Financial/external report misstatement risk, referring to the risk that reports prepared by the
entity contain misstatements and errors.
7) Fraud risk, referring to the risk of losses arising out of fraud committed using information
systems resources.
8) Legal and regulatory risk, referring to risk of noncompliance to legal and regulatory
requirements and consequences thereof.
9) Physical harm risk, referring to the risk of suffering from bodily harm.
The IS auditor must understand the procedures for testing and evaluating information systems
controls. These procedures could include:
1) The use of generalized audit software to survey the contents of data files (including system
logs)
2) The use of specialized software to assess the contents of operating system parameter files
(or detect deficiencies in system parameter settings)
3) Flow-charting techniques for documenting automated applications and business process
4) The use of audit reports available in operation systems
5) Documentation review
6) Observation
Audit testing can be a very substantial part of the audit process, sometimes taking up to half the
time available for the audit. This means it is important to ensure:
audit tests are carefully planned
there is adequate evidence of the testing which has been done
conclusions can be fully supported by the testing done.
Types of Testing
There are two main types of testing: test of controls or compliance test and substantive testing.
1. Compliance testing: Compliance tests aim at collecting evidence whether the control
procedures are correctly implemented and are reliable. The objective is to determine whether or
not the system of internal controls operates as it is supposed to operate. Compliance tests are
performed to guarantee the effectiveness of the functioning of internal control measures
throughout the control period. The purpose of compliance tests (i.e. testing the control
mechanisms and procedures) is to confirm that the existing control procedures are correctly
applied and are reliable.
The main purpose of compliance tests is not to identify errors, deviations or potential fraud, but
to identify the control procedures, which are not performed correctly. The reasons for the
omissions and deviations are more important to the auditors than the omissions and deviations
themselves. The number of compliance tests carried out depends on two factors:
a. the size of the information flow related to the respective process;
b. the nature of the control measures.
2. Substantive Tests: Substantive testing is done where it has been determined, through
compliance testing that internal controls are weak or inadequate and involves obtaining
Chapter 7: IS Audit Process Page 10
sufficient evidence to enable the auditor make a final judgment on whether or not material
losses have occurred during computer data processing. The purpose of this is two-fold:
to determine if any significant losses have occurred, and
to contribute towards internal audit’s assessment of the organization’s overall control
environment.
The following are the five types of substantive tests that can be used within a data processing
installation:
a) Tests to identify erroneous processing
b) Tests to assess the quality of data
c) Tests to identify inconsistent data
d) Tests to compare data with physical counts
e) Confirmation of data with outside sources
There is no specific format for an IS audit report, yet the organization’s audit policies and
procedures will dictate the format generally. Audit reports, however, usually will have the
following structure and content:
1. An introduction to the report, including a statement of audit objectives and scope, the period of
audit coverage, and a general statement on the nature and extent of audit procedures examined
during the audit
2. The IS auditor’s overall conclusion and opinion on the adequacy of controls and procedures
examined during the audit
3. The IS auditor’s reservations or qualifications with respect to the audit. This may state that
the controls or procedures examined were found to be adequate or inadequate. The balance of
the audit report should support that conclusion and the overall evidence gathered during the
audit should provide an even greater level of support.
4. Detailed audit findings and recommendations and the decision to include or not include
findings in an audit report. These should be based on the materiality of the findings and the
intended recipient of the audit report. An audit report directed to the audit committee of the
board of directors, for example, may not include findings that are important to local
management but have little control significance to the overall organization. The decision of
what to include in various levels of audit reports depends upon the guidance provided by upper
management.
Chapter 7: IS Audit Process Page 11
5. A variety of findings, some of which may be quite material while others are minor in nature
6. Limitations to audit
7. Statement on the IS audit guidelines followed
The ISACA IS Auditing Guideline, Report Content and Form, specifies that the report should
include all significant audit findings. When a finding requires explanation, the IS auditor should
describe the finding, its cause and its risk. When appropriate, the IS auditor should provide the
explanation in a separate document and make reference to it in the report.
There are a number of ways a control self-assessment can be implemented but its key feature is
that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-
day responsibilities are within the business unit being assessed. Benefits claimed for control self-
assessment include creating a clear line of accountability for controls, reducing the risk of fraud and
the creation of an organization with a lower risk profile. Control self-assessment will not fulfill the
independence requirement, so a traditional audit is still required. CSAs can be used to identify areas
that are high risk and may need a more detailed review later.
7.12.1. Methodologies
Six basic methodologies for control self-assessment have been defined:
1) Internal Control Questionnaire (ICQ) self-audit
2) Customized questionnaires
3) Control guides
4) Interview techniques
5) Control model workshops
6) Interactive workshops