IS AUDIT PROCESS

Audit charter or engagement letter 2. Gathering evidence 7. Sequence 1. Analyzing the results 9. Performing a risk assessment 4. Determining whether an audit is possible 5. Preplanning the audit 3. Performing the actual audit 6.Conducting any follow-up-activities 2 . Reporting the results 10. Performing audit tests 8.

IS Audit Process Flow chart 3 .

1.GT) –Prepare a format for audit charter and engagement letter –Presentation in a class 4 .Audit charter or engagement letter • Audit Charter –Gives you the authority to perform an audit –Includes Responsibility. Authority and Accountability • Engagement Letter –Delegation of an audit to an external organization via an engagement letter –Should include all points mentioned in audit charter • Task / Assignment (Group Task .

2.Preplanning the Audit It includes • Information gathering • Knowledge of the business itself • Strategic objectives • Financial Objectives • Operational objectives for internal control • Identifying restrictions on scope • Understanding the variety of audits • Systematic approach to planning 5 .

vulnerabilities and existing controls –Perform risk assessment –Formulate a risk treatment plan • Accept • Reduce • Transfer • Avoid 6 . threats. 3.Performing a Risk Assessment • The auditor will need to identify potential risks to the organization • The auditee will assist by providing information about their organization • Risk management includes –Identify assets.

Determining whether an audit is Possible • Lack of sufficient and reliable evidence • Existence of any third-party service providers • Etc. 7 . 4.

and procedures were developed to promote quality and consistency in a typical audit by ISACA and other organizations • Define auditee communications • Perform proper data collection – Auditor needs to determine how data will be gathered for evidence to support the audit report – Data collection techniques • Staff observation • Document review • Interviews • Workshops • Computer assisted audit tools (CAAT) • Surveys • Review existing controls (review the existing internal controls that are intended to prevent. or correct problems) 8 .Perform the actual Audit • Allocating staffing – Audit’s Org structure – Skills matrix – Using the work of other people • Ensure audit quality control – Audit standards. detect. 5. guidelines.

Gathering Audit Evidence • Evidence is a collection of verifiable information that is used to prove or disprove a point • Typical Evidence for IS Audits includes –Documentary evidence. procedures. which can include a business record of transactions. which are representations made in oral or written statements –Analysis of plans. and logs etc. 6. policies. receipts. –Data extraction. and flowcharts –Results of compliance and substantive audit tests –Auditor’s observations of auditee work 9 . which mines details from data files using automated tools –Auditee claims. invoices.

Performing Audit Tests • Two basic methods have been used for audit testing –Compliance testing –Substantive testing • Compliance testing tests for the presence or absence of something –Information security policy present or not –System audit Logs activated or not –Backup copies present or not etc. etc. • Substantive testing seeks to verify the content and integrity of evidence. it may include –Complex calculations to verify account balances –Perform physical inventory counts –Execute sample transactions to verify the accuracy . 7. 10 .

the auditor will not be able to prove conformity • Contradictory evidence –Contradictory evidence suggests either the auditor is doing something wrong or you have discovered evidence proving a problem actually exists (nonconformity) 11 . 8.Analyzing the Results • The goal is to determine if samples tested by the auditor indicate conformity (meets requirement) or nonconformity (fails requirement) • Sufficiency of evidence –Is there enough evidence of sufficient quantity and quality to fulfill the intended purpose and scope of the audit? If not.

Report Audit Findings • Reporting is the process by which the auditor conveys to management their findings. it includes –A title that includes the word independent (for an external audit) –The applicable date of the report –Identification of the parties –An executive summary –Any visual representations. 9. charts. reservations –Detailed findings and the auditor’s opinion –Auditor signature and contact information 12 . or diagrams –A statement of the standards followed during the audit –A statement of the procedures performed –A statement of any auditor concerns. graphs.

Conduct any follow-up-activities • Sometimes events of concern are discovered. or occur. 10. after an audit has been completed • Events pose a material challenge to your final report • These may require additional disclosures or adjustments to your report based on the nature of the event that was recently discovered or occurred 13 .

14 .