You are on page 1of 11


1. Audit charter or engagement letter
2. Preplanning the audit
3. Performing a risk assessment
4. Determining whether an audit is possible
5. Performing the actual audit
6. Gathering evidence
7. Performing audit tests
8. Analyzing the results
9. Reporting the results
10.Conducting any follow-up-activities

IS Audit Process Flow chart the Audit .

It includes • Information gathering • Knowledge of the business itself • Strategic objectives • Financial Objectives • Operational objectives for internal control • Identifying restrictions on scope • Understanding the variety of audits • Systematic approach to planning 5 .

threats.Performing a Risk Assessment • The auditor will need to identify potential risks to the organization • The auditee will assist by providing information about their organization • Risk management includes –Identify assets. vulnerabilities and existing controls –Perform risk assessment –Formulate a risk treatment plan • Accept • Reduce • Transfer • Avoid 6 . 3.

Determining whether an audit is Possible • Lack of sufficient and reliable evidence • Existence of any third-party service providers • Etc. 4. 7 .

5. or correct problems) 8 . detect.Perform the actual Audit • Allocating staffing – Audit’s Org structure – Skills matrix – Using the work of other people • Ensure audit quality control – Audit standards. and procedures were developed to promote quality and consistency in a typical audit by ISACA and other organizations • Define auditee communications • Perform proper data collection – Auditor needs to determine how data will be gathered for evidence to support the audit report – Data collection techniques • Staff observation • Document review • Interviews • Workshops • Computer assisted audit tools (CAAT) • Surveys • Review existing controls (review the existing internal controls that are intended to prevent. guidelines.

and flowcharts –Results of compliance and substantive audit tests –Auditor’s observations of auditee work 9 . procedures.Gathering Audit Evidence • Evidence is a collection of verifiable information that is used to prove or disprove a point • Typical Evidence for IS Audits includes –Documentary evidence. which are representations made in oral or written statements –Analysis of plans. 6. which mines details from data files using automated tools –Auditee claims. invoices. and logs etc. –Data extraction. receipts. policies. which can include a business record of transactions.

etc. • Substantive testing seeks to verify the content and integrity of evidence. it may include –Complex calculations to verify account balances –Perform physical inventory counts –Execute sample transactions to verify the accuracy .Performing Audit Tests • Two basic methods have been used for audit testing –Compliance testing –Substantive testing • Compliance testing tests for the presence or absence of something –Information security policy present or not –System audit Logs activated or not –Backup copies present or not etc. 7. 10 .

Analyzing the Results • The goal is to determine if samples tested by the auditor indicate conformity (meets requirement) or nonconformity (fails requirement) • Sufficiency of evidence –Is there enough evidence of sufficient quantity and quality to fulfill the intended purpose and scope of the audit? If not. 8. the auditor will not be able to prove conformity • Contradictory evidence –Contradictory evidence suggests either the auditor is doing something wrong or you have discovered evidence proving a problem actually exists (nonconformity) 11 .

graphs. 9. or diagrams –A statement of the standards followed during the audit –A statement of the procedures performed –A statement of any auditor concerns. it includes –A title that includes the word independent (for an external audit) –The applicable date of the report –Identification of the parties –An executive summary –Any visual representations.Report Audit Findings • Reporting is the process by which the auditor conveys to management their findings. reservations –Detailed findings and the auditor’s opinion –Auditor signature and contact information 12 . charts.

10. or occur.Conduct any follow-up-activities • Sometimes events of concern are discovered. after an audit has been completed • Events pose a material challenge to your final report • These may require additional disclosures or adjustments to your report based on the nature of the event that was recently discovered or occurred .