Professional Documents
Culture Documents
Audit Documentation
Audit Documentation
Information Systems Audit and Control Association 1998-1999 STANDARDS BOARD Chair, Lynn Christine Lawton, CISA, FCA, FIIA, PIIA KPMG, United Kingdom John W. Beveridge, CISA, CFE, CGFM Commonwealth of Massachusetts, USA Marcelo Abdo Centeio Companhia Siderurgica Nacional, Brazil Claudio Cilli, CISA Ernst & Young, Italy Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of Norway Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA Ai Lin Ong, CISA, ACA, PA PricewaterhouseCoopers, Malaysia David W. Powell, CISA, FCA, CIA Deloitte Touche Tohmatsu, Australia
1.
BACKGROUND
1.1 Linkage to Standards 1.1.1 Standard 060.020 (Evidence) states During the course of the audit, the Information Systems Auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. 1.1.2 Standard 070.010 (Report Content and Form) states The Information Systems Auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organisation, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. 1.2 Need for Guideline 1.2.1 The purpose of this Guideline is to describe the documentation that the IS Auditor should prepare and retain to support the audit. 1.2.2 This Guideline provides guidance in applying IS auditing standards. The IS Auditor should consider it in determining how to achieve implementation of the above Standards, use professional judgment in its application and be prepared to justify any departure. 2. 2.1 PLANNING
2.1.2 Documentation should include, at a minimum, a record of: The planning and preparation of the audit scope and objectives The audit programme The audit steps performed and audit evidence gathered The audit findings, conclusions, and recommendations Any report issued as a result of the audit work Supervisory review 2.1.3 The extent of the IS Auditor s documentation will depend on the needs for a particular audit and should include such things as: The IS Auditor understanding of s the area to be audited and its environment The IS Auditor understanding of s the information processing systems and the internal control environment The author and source of the audit documentation and the date of its completion Audit evidence and source of the audit documentation and the date of completion The auditee response to s recommendations 2.1.4 Documentation should include audit information that is required by law, by government regulations, or by applicable professional standards. The documentation should be clear, complete and understandable by a reviewer. 2.2 Documentation Custody, Retention and Retrieval 2.2.1 Policies and procedures should be in effect to ensure appropriate custody and retention of the documentation that supports audit findings and conclusions for a time sufficient to satisfy legal, professional, and organisational requirements. 2.2.2 Documentation should be organised, stored, and secured in a manner appropriate for the media on which it is retained and should continue to be retrievable for a time sufficient to satisfy the policies and procedures defined above. 3. EFFECTIVE DATE
Documentation Contents 2.1.1 Information systems audit documentation is the record of the audit work performed and the audit evidence supporting the IS Auditor findings and s conclusions. Potential uses of documentation include: n Demonstration of the extent to which the IS Auditor has complied with the IS Auditing Standards n Assistance with planning, performance, and review of audits n Facilitation of third-party reviews n Evaluation of the IS auditing function quality assurance s programme n Support in circumstances such as insurance claims, fraud cases, and lawsuits n Assistance with the professional development of the staff
3.1 This Guideline is effective for all information systems audits beginning on or after 1 September 1999.
Copyright 1999 Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Telephone: +1.847.253.1545 Fax: +1.847.253.1443 Email: research@isaca.org