🤓

IS/IT Audit
Audit Work Plan
overall blueprint of the audit engagement.
shows all the audit activities of the engagement, timelines and the person responsible
for each activity.

Composition:
1. Background of the system
obtained through Systems and Infrastructure briefing

2. Audit objectives
motu proprio vs requested engagements

3. Audit scope
coverage and limits of the audit

4. Audit approach and methodology

Risk-based approach.
Audits guided by COA IS/IT Audit Framework (CISITAF) and International
Standards of Supreme Audit Institutions (ISSAI)

5. Skills and competencies needed for the IS/IT audit

Knowledge of IS Auditors on:

1. Information Systems

2. Governance and Management of IT

IS/IT Audit 1
 3. Information Systems Acquisition, Development and Implementation

4. Protection of Information Assets

5. Information Systems Operations, Maintenance and Support

6. Members of the IS/IT audit team and their roles

Audit areas assigned to team members.
Admin stuff:

Custodian of submitted (physical and electronic) documents

Log of requested files - what has and has not yet been given

Custodian of working papers

(Pre-pandemic) Locators

7. Audit activities that will be performed – Planning, Execution, and Reporting

Detailed activities from Planning to Execution to Reporting, including timeline and
deadlines

General Audit Objectives

specific goals or purpose that the audit must accomplish.
to determine whether internal controls exist to minimize business risk, and that these
controls function as expected.

1. Controls embedded on the system and the related IT processes are working
effectively to preserve the confidentiality[1], integrity[2], and availability[3] of
information such that reliance[4] can be placed on the systems and its reports;

2. Agency’s policies, standards, proce dures, and controls comply[5] with

applicable laws, regulations, contracts, and industry standards; and

3. IT investments are not exposed to wastage, and benefits from such investments
are maximized.

[1] confidentiality – concerns protection of sensitive information from unauthorized

disclosure.

[2] integrity – relates to the accuracy and completeness of information as well as to

its validity in accordance with the business' set of values and expectations

[3] availability – relates to information being available when required by the

business process, and hence also concerns the safeguarding of resources.
[4] reliability of information – relates to systems providing management with
appropriate information for it to use in operating the entity, in providing financial
reporting to users of the financial information and in providing information for
reporting to the regulatory bodies regarding compliance with laws and regulations,
manual on it audit - india
[5] compliance – deals with complying with those laws, regulations and contractual
arrangements to which the business process is subject; i.e. Externally imposed

IS/IT Audit 2
 business criteria. This essentially means that systems need to operate within the
ambit of rules, regulations and/or conditions of the organization.

Importance
address the risk/s associated with the activity under review.

might influence the audit engagement such as resources needed, timeline and
deliverables.

Preliminary Audit Engagement Documents

1. Auditor’s Independence Declaration

2. Confirmation of IS/IT Audit Team Competence

3. Engagement Letter

confirms the acceptance of the engagement.

provide min information on the audit objective, scope of work, extent of auditor’s
responsibilities, audit period coverage and form of the report.
may also include Mgt’s responsibility and those charged with governance, audit
requirements, Mgt’s acknowledgement on the outlined terms and details.

4. Management Representation Letter

Management representation letter is used to confirm Management’s knowledge and

belief about their existing internal controls, disclosure of relevant information to the
IS/IT auditors, knowledge of any fraudulent/irregular activities, and any non-
compliance with laws, rules, and regulations.

5. Management Representation Letter on the copies of the cloned production

environment for testing purposes

6. Non-Disclosure Agreement

7. Entrance Conference Agenda

Details of the audit that will be laid-out and discussed in the Entrance Conference

8. Minutes of the Meeting

Entrance Conference Exit Conference

Topics in the Engagement Letter Topics discussed

Legal Basis Audit Observations

Audit Objectives Recommendations

Audit Scope and Period Management Comments

Audit Criteria Action Plan

Reporting or Deliverables
Offices Involved

Key Milestones

Administrative Matters

IS/IT Audit 3
 Other matters

9. Attendance Sheet

Audit Programs
step-by-step set of audit procedures and instructions that should be performed to
complete an audit.

tailor fit the audit program to the auditee’s setup and systems

Contents:
1. Audit area/issue

2. Criteria to be used

3. Information/documents needed

4. Detailed audit procedures

5. Time required to finish the audit procedure

Conduct of the Entrance Conference

Approval of the Office Order by the Chairman & Audit Work Plan by the Director
TS & TL explain the details of the Entrance Conference Agenda

1. legal basis of the audit

2. objectives

3. scope

4. timeline

5. offices involved

6. key milestones of the audit

7. assessment criteria

8. ensure due cooperation and support of the auditee

access to records and information

9. minutes of the meeting

IS/IT Audit 4