Information System Process

Chapter 7: IS Audit Process

7.1. Introduction
The scope of an information systems audit includes verifying the existence and performance of controls.
The selection of the controls to test remains a critical decision for the information systems auditor and
will have a major role in determining the quality of the audit. In order to ensure adequate coverage of
testing, the auditor is required to prioritize testing of controls. Prioritization essentially depends on the
corresponding loss exposure to the auditee in the event of the failure of a specific control. The likelihood
of a control failing, and even being activated, is uncertain.

7.2. IS Audits Areas of Focus for an Auditor

Auditors involved in reviewing an information system should focus their concerns on the system’s
control aspects. They must look at the total systems environment not just the computerized segment. This
requires their involvement from the time that a transaction is initiated until it is posted to the
organization’s general ledger. Specifically, auditors must ensure that provisions are made for:
1) An adequate audit trail so that transactions can be traced forward and backward through the system.
2) Controls over the accounting for all data
3) Handling exceptions to and rejections from the computer system.
4) Testing to determine whether the systems perform as stated.
5) Control over changes to the computer system to determine whether the proper authorization has been
given.
6) Authorization procedures for system overrides.
7) Determining whether organization and Government policies and procedures are adhered to in system
implementation.
8) Training user personnel in the operation of the system.
9) Developing detailed evaluation criteria so that it is possible to determine whether the implemented
system has met predetermined specifications.
10) Adequate controls between interconnected computer systems.
11) Adequate security procedures to protect the user’s data.
12) Backup and recovery procedures for the operation of the system.
13) Technology provided by different vendors
14) Databases are adequately designed and controlled to ensure that common definitions of data are used
throughout the organization, that redundancy is eliminated or controlled and that data existing in
multiple databases is updated concurrently.

7.3. Elements of IS Audit

An information system is not just a computer. Today's information systems are complex and have many
components that piece together to make a business solution. Assurances about an information system can
be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total
strength of the chain. The major elements of IS audit can be broadly classified:
1) Physical and environmental review - This includes physical security, power supply, air
conditioning, humidity control and other environmental factors.
2) System administration review -This includes security review of the operating systems, database
management systems, all system administration procedures and compliance.
3) Application software review -The business application could be payroll, invoicing, a web-based
customer order processing system or an enterprise resource planning system that actually runs the
business. Review of such application software includes access control and authorizations, validations,
error and exception handling, business process flows within the application software and

Chapter 7: IS Audit Process Page 1

 complementary manual controls and procedures. Additionally, a review of the system development
lifecycle should be completed.
4) Network security review - Review of internal and external connections to the system, perimeter
security, firewall review, router access control lists, port scanning and intrusion detection are some
typical areas of coverage.
5) Business continuity review - This includes existence and maintenance of fault tolerant and
redundant hardware, backup procedures and storage, and documented and tested disaster
recovery/business continuity plan.
6) Data integrity review - The purpose of this is scrutiny of live data to verify adequacy of controls and
impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be
done using generalized audit software (e.g., computer assisted audit techniques).

7.4. Types of Audit

The IS auditor should understand the various types of audits that can be performed, internally or
externally, and the audit procedures associated with each:
1. Financial audits —assess the correctness of an organization’s financial statements. A financial audit
will often involve detailed, substantive testing. This kind of audit relates to information integrity and
reliability. A historically oriented, independent evaluation performed for the purpose of attesting to
the fairness, accuracy, and reliability of financial data
2. Operational audits —evaluate the internal control structure in a given process or area. IS audits of
application controls or logical security systems are examples of operational audits.
3. Integrated audits —An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial information and
assets’ safeguarding, efficiency and compliance. An integrated audit can be performed by external or
internal auditors and would include compliance tests of internal controls and substantive audit steps.
4. Administrative audits —assess issues related to the efficiency of operational productivity within an
organization.
5. Information Systems audits —This process collects and evaluates evidence to determine whether
the information systems and related resources adequately safeguard assets, maintain data and system
integrity, provide relevant and reliable information, achieve organizational goals effectively,
consume resources efficiently, and have in effect internal controls that provide reasonable assurance.

There are three basic kinds of IS Audits that may be performed:

a. General Controls Review: A review of the controls which govern the development, operation,
maintenance, and security of application systems in a particular environment. This type of audit
might involve reviewing a data center, an operating system, a security software tool, or processes
and procedures (such as the procedure for controlling production program changes), etc.
b. Application Controls Review: A review of controls for a specific application system. This would
involve an examination of the controls over the input, processing, and output of system data.
Data communications issues, program and data security, system change control, and data quality
issues are also considered.
c. System Development Review: A review of the development of a new application system. This
involves an evaluation of the development process as well as the product. Consideration is also
given to the general controls over a new application, particularly if a new operating environment
or technical platform will be used.
6. Specialized audits - Within the category of IS audits, there are a number of specialized reviews that
examine areas such as services performed by third parties and forensic auditing.
7. Forensic audits - Traditionally, forensic auditing has been defined as an audit specialized in
discovering, disclosing and following up on frauds and crimes. In recent years, the forensic

Chapter 7: IS Audit Process Page 2

 professional has been called upon to participate in investigations related to corporate fraud and
cybercrime.
8. Investigative Audit
This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of
an individual or a department. It is usually focused on specific aspects of the work of a department or
individual.
9. Follow-up Audit
These are audits conducted approximately six months after an internal or external audit report has
been issued. They are designed to evaluate corrective action that has been taken on the audit issues
reported in the original report. When these follow-up audits are done on external auditors' reports, the
results of the follow-up may be reported to those external auditors.

7.5. Phases of the Audit Process

The information system (IS) controls audit involves the following three phases:
1. Planning: The auditor determines an effective and efficient way to obtain the evidential
matter necessary to achieve the objectives of the IS controls audit and the audit report.
a) Preliminary review phase: The main objective of this step is to obtain the information
necessary for the auditor to make a decision on how to proceed with the audit. This stage
includes a review of the management and application controls existing in the company.
b) The detailed review phase: The objective of this phase is to obtain the information necessary for
the auditor to have an in-depth understanding of the controls used in a computer installation.
2. Testing: The auditor tests the effectiveness of IS controls that are relevant to the audit
objectives.
a) The compliance testing phase: The objective of this phase is to determine whether or not the
system of internal controls operates as it is supposed to operate.
b) The substantive testing phase: The objective of this phase is to obtain sufficient evidence to
enable the auditor make a final judgment on whether or not material losses have occurred during
computer data processing.
c) Overall evaluation: Upon substantive testing, the auditor once again has an overall view of the
control systems existing within the company.
3. Reporting: On completing the audit process, the auditor prepares a comprehensive audit report
giving details of all the phases of review and testing conducted. The audit report also consists of the
recommendations of the auditor for improvement in control systems.

7.6. Audit Process Stages

A systems based audit comprises the following stages:
1) Preparing for & planning the audit assignment
2) Ascertaining and recording the system
3) Identifying system objectives
4) Identifying risks and evaluation controls against risks
5) Testing controls
6) Arriving at conclusions
7) Audit report writing

7.7. Preparing for & Planning the Audit Assignment

The preparing for & planning the audit assignment consists of: preliminary survey, organizing kick-off
meeting and preparing an audit plan.

Chapter 7: IS Audit Process Page 3

7.7.1. Techniques Used for Information Systems Planning
Various techniques used by the auditors include audit area selection, simulation and modeling, scoring,
and competency center.
a) Audit area selection: This technique is applicable in multi-locational complex computer systems. It
helps the auditor to identify the areas where the audit would require the maximum attention. This
helps to optimize the use of limited resources effectively in potential problem areas. For example, the
data center is an area of importance for the audit wherever the auditee uses a centralized operation.
Key indicators of business risk and control risks are identified and placed in the form of a matrix.
The resource requirement for the audit is compared with available resources, and wherever the latter
falls short, specific areas are to be selected for detailed examination. The areas with high business
risks and high control risks are what the audit procedures will focus on.
b) Simulation and modeling: This audit procedure is used to monitor selected transactions on a
continuous basis. A comparison is made between the expected results and the actual results from the
process. Expected results are derived by simulation of the process. Differences between the expected
and actual results help to identify areas where deviations have taken place. This technique also
identifies problem areas that require the auditor’s attention. A common application of the technique
is monitoring the network load. If the network load is higher than expected on a consistent basis, the
auditor will accord a higher priority to review of the same.
c) Scoring: In this technique, the characteristics of a computer application system are identified and
quantified. A score is awarded for each of the characteristics and a weighted score is derived. A total
of the individual weighted scores gives us the score of the system.
d) Competency center: In a computerized system spread over many locations, an alternative technique is
the centralized audit approach. The audit is conducted from a centralized location using auditing
software and other processes. Other locations are visited on a selective basis to evaluate controls that
require physical verification. Multisite audit software is used while adopting this technique. Effective
use of this technique requires the computer system at different sites to be same or almost identical,
for example, the software used in banks.

Preliminary survey: undertaken in order to get an overview of the area to be audited. This preliminary
survey should provide the basis for planning the audit, and for determining:
a) The objectives of the audit;
b) The scope of the audit and any specific areas that are to be given emphasis because they are high risk,
are of critical importance to the system and/or suffer from weaknesses which are already known;
c) Target dates for completion of each stage of the audit work;
d) Which auditors are to be employed on the audit and who is responsible for supervising the audit team
and ensuring the quality of the audit work.

The preliminary survey will also establish the boundaries of the systems under review and identify any
interfaces with other systems and any other audits which are planned. This provides the basis for drafting
the Audit plan. The preliminary survey should involve:
a) Review of the permanent audit file and previous audit reports, including reports from the State Audit
Office;
b) Review of the strategic and operational plans of the area to be audited;
c) Current organization charts;
d) Review of budget and management information;
e) Initial discussions with management of the organizational units to establish their objectives in the
area to be audited;
f) Review of relevant legislation, regulations, instructions etc.

Chapter 7: IS Audit Process Page 4

At this stage it is also useful to identify the goals and objectives of the area(s) under review and the key
risks relating to those goals and objectives. The review of previous audit reports is an important part of
the preliminary survey. The reports provide an insight into the level of control at the time of the last
audit, and an opportunity to establish whether or not agreed recommendations have been implemented by
management.

Kick-off meeting: Prior to the Kick-off meeting the internal auditors and external experts are required
to have a Letter of Authorization, signed by of the Head of the Internal Audit unit, whereas the
appointment of the Head of the Internal Audit unit, signed by the person in charge of the institution, prior
to the performance of any of the audits within the Annual Plan.
The Letter of Authorization shall specify:
- Systems and procedures subject to the audit;
- Objectives of the audit set out in the Annual Internal Audit Plan;
- Audit team and Team Leader; and
- Time-frame and deadline for submission of Final Internal Audit Report.

The formal start of the audit is the Kick-off meeting which should be held between the Head of the
department to be audited and the Chief Internal Auditor accompanied by the Team Leader/Auditor
carrying out the work. This meeting is intended to:
a) Introduce the audit team to the management of the department to be audited;
b) Outline the objective of the audit and give a brief overview of the methodology to be used – if this is
the first audit of the department it will be necessary to give a more detailed explanation of the
approach;
c) Ask management to suggest particular areas which they think should be examined;
d) Discuss areas which internal auditors consider on the focus of the audit;
e) Explain that internal audit will keep them informed of the progress of the audit, and that
management’s assistance will be welcomed throughout the audit.
f) Request additional information about the business process under audit and agree on the list of
documents required from the auditee;
g) Distribute a copy of the Internal Audit Charter to all present on the Kick-off meeting

Audit Plan: After the preliminary survey and the kick-off meeting, an Audit Plan should be prepared.

7.8. Ascertaining And Recording The System

This involves
1. Describing the system
2. Undertaking a Walk through testing

Purpose for describing the system

The main reasons for describing the system are:
a) To confirm the auditor’s understanding of the system formulating clear process / system objectives;
b) To establish any interfaces between systems;
c) To establish how the system fits within the Organization;
d) To provide a basis for assessing the extent to which internal controls prevent or detect and correct
errors.
The description of the system forms the basis for the auditor’s judgment, conclusions and
recommendations. It also should provide basis for the evaluation of the strengths and weaknesses in
internal control.

Chapter 7: IS Audit Process Page 5

The auditor should decide which technique or combination of techniques for recording systems (text
and/or flowchart) is most appropriate, taking into account the nature and complexity of the system, the
audit objectives and any audit work done earlier.
Sources of information can include:
a) Files and papers from earlier audits;
b) Organizational and procedural rulebooks, manuals, guidelines and other acts used in the organization;
c) Interviews and informal discussions with managers and staff
d) Observation of the physical environment and the working methods used. It is particularly useful
where no physical evidence that something has happened remains after the event. Remember that the
presence of the auditor may influence the behaviour of staff and the practices observed may not,
therefore, be typical. It may also be difficult to substantiate the evidence.
e) Documents and records used in the system;
f) Reports prepared by any Control and Inspection Units;
g) Any other reports relating to the area under audit;
h) Management information.

7.8.1. Steps Required in Documenting Systems

1. Establish an outline of the system to enable you to decide on whether to use narrative or flowcharting
to document the system, and also to decide which of the main sub-systems it will be appropriate to
describe separately;
2. Obtain a detailed description of the systems and internal control features from discussions with
departmental personnel. This should include a record of:
a. Which processes and procedures are carried out and by whom;
b. Any changes in procedures for different types or groups of transactions – eg those of high
value;
c. Measures taken to maintain the continuity of the working process (lunch hours, holidays,
vacations or peak flows of operations);
d. All documents used in the process;
e. All computer reports along with their purpose and the way they are used.
3. Record information on rough flowcharts or notes. If possible compare with acts describing internal
procedures.
4. Perform walk-through tests to ensure that the system actually does operate in the manner which has
been described.
5. Prepare documentation describing the system – narrative and/or flowchart.
6. Cross reference documents and reports of the system to the narrative and/or flowchart.

When documenting system, the internal auditor should remember that the volume of documentation
should be limited to what is needed to identify and record the internal controls.

Minimum Contents of System Documentation

Whichever method is used for documenting the procedures in each system there are certain items, which
should be included on every system file. These are:
1. Examples of documents describing their purpose and use. These documents and reports should be
filed in the order in which they are used in the system, and cross-referenced to the narrative note or
flowchart.
2. Examples of reports (whether computerized or manually prepared) describing their purpose and use;
3. Details of the number of transactions passing through the system. These are essential to a full
understanding of the context of the system in relation to the overall activities of the entity. It is
therefore necessary to summarize data such as:

Chapter 7: IS Audit Process Page 6

 • Number of transactions;
• Value of transactions;
• Seasonal fluctuations.
4. Forms used to evaluate the system.

Walk-through testing
In conducting ‘walk through’ tests, the auditor looks primarily for evidence of the existence of controls.
This may involve examining a small number of different transactions at each stage of the process or
following one transaction through from start to finish. The aim of this type of testing is to make sure that
the system works in the way it is described in the systems narrative or flowcharts and to confirm the
controls in place at each stage.
• If there is a difference, or any other information is identified which is inconsistent with the flowchart,
you should refer back to the original source of the information before doing any more work. This is
important because, if the system record has to be amended, the paths for walk-through test also may
have to be changed.
• When the difference is the result of an incidental breakdown in the system, you will normally need
only to record this fact on your working papers. This information will then be taken into account in
the evaluation of internal control.

7.9. Identifying System Objectives

The key to an effective system based audit is to identify the system objectives that determine the control
objectives against which controls in the system can be audited. A systems based audit is concerned
particularly with establishing the link between controls and objectives in order to gather evidence to
support the auditor’s professional opinion on the adequacy and effectiveness of internal control in that
system.

By obtaining an understanding of what the objectives of the system are, it will help you to identify what
the control objectives should be. The control objectives need to be consistent with the objectives of
management in the organization, and should be discussed and agreed with management before you start
any evaluation of controls. In order to ensure that security of information systems is preserved, the entity
needs to ensure that usage of information systems assets and related processes, whether computerized or
manual, is governed by an internal control system.

Information systems control objectives include the following:

1) Safeguarding information systems assets
2) Compliance with corporate policies, and regulatory and legal requirements
3) Assuring system reliability
4) Maintaining data integrity
5) Assuring system security
6) Assuring system availability
7) Maintaining system controllability
8) Assuring system maintainability
9) Assuring system usability
10) Assuring system effectiveness
11) Maintaining system economy and efficiency
12) Maintaining system quality.

7.9.1. Establishing Control Objectives

This involves:
Chapter 7: IS Audit Process Page 7
1. identifying the main activities;
2. determining the objectives of those activities or processes, and
3. developing the control objectives which will help ensure the achievement of the objectives of the
main activities or processes.

Control objectives should include general control requirements such as:

a) economy and efficiency
b) prevention and detection of fraud and abuse
c) reliability and adequacy of management information
d) compliance with laws, legislation, management policies and rules
e) security of assets, intellectual property and data
f) the completeness and accuracy of the records and accounts of the organization.

Control objectives should relate to the particular nature and operation of the activities which are needed
to meet the specific objectives of the system. They should also be specific and show the purpose of
control - and not the control itself. For example:
• in a purchasing system one control objective might be ‘to ensure that invoices are paid only for goods
or services which have been received’
• in a payroll system a control objective could be: ‘to ensure that payments are made only to valid
employees of the organization’
• in a security audit a control objective could be ‘to make sure that only accredited staff and visitors are
permitted to enter the building’.

7.9.2. System Effectiveness and Efficiency

During the course of information systems audit, an auditor is often required to comment on the
effectiveness and efficiency of a system. An information systems auditor is required to know the
difference between the two, which is described below.
 Effectiveness evaluation determines whether the system is achieving its objectives and whether the
system should be continued, modified, upgraded, or scrapped. Effectiveness analysis may be done at
the design stage to ensure that user needs are being fulfilled and the system is achieving its
implementation objectives.
 Efficiency of a system is reflected by usage of the minimum amount of resources to achieve its
objectives. The resources may be of different kinds, including machine time, peripherals, system
software, application software, and human resources.

7.10. Identifying Risks & Evaluating Controls against Risks

Risk is the likelihood that the entity would face a vulnerability being exploited or a threat becoming
harmful. Vulnerability is the inherent weaknesses of a system or process that can be exploited by a threat.
Threats stand for uncertain events that can cause loss to the entity. The threats exploit the gap between
the level of protection necessary and the degree of protection achieved. Once an entity is aware of the
potential loss, it decides on a risk mitigation strategy. The likelihood of the risk resulting in an
unfavorable exposure may be so low that the entity may decide to keep the risk unmitigated. On the other
hand, in extreme cases the cost of mitigating a risk may be so high that the entity may opt to accept it.

The information systems auditor keeps the risk strategy in mind while conducting the information
systems audit. People, processes, systems, and external events are all potential hazards to operations in an
entity. Inadequacy or failure of any one of them can result in events that may cause loss. The loss may
not always be described in monetary terms but may involve intangibles such as loss of reputation.

Chapter 7: IS Audit Process Page 8

Risk factors inherent in business operations include the following nine examples:
1) Access risk, referring to the risk of an unauthorized user securing access to information assets.
2) Business disruption risk, or the risk of non-availability of services from information systems
resources.
3) Credit risk, such as the failure of a counterparty honoring their payment obligation.
4) Customer service risk, referring to the risk of customers being deprived of services.
5) Data integrity risk, or the risk of a possible compromise of data integrity that may arise for various
reasons, including unauthorized access.
6) Financial/external report misstatement risk, referring to the risk that reports prepared by the entity
contain misstatements and errors.
7) Fraud risk, referring to the risk of losses arising out of fraud committed using information systems
resources.
8) Legal and regulatory risk, referring to risk of noncompliance to legal and regulatory requirements
and consequences thereof.
9) Physical harm risk, referring to the risk of suffering from bodily harm.

7.10.1. Identifying Risks

Risks should be identified and recorded for each control objective. This will make it easier to decide the
type of testing and how much testing needs to be done. The risk endangers the achievement of the
objectives defined for the process. During the execution of the processes many errors may emerge. These
may be unintentional errors (misunderstandings, confusions, lack of competence etc.) but also intentional
errors (varying from deliberate wrong application of rules to abuse like forgery and misappropriation
usage of means). Such risk can be identified on the basis of the information collected at an earlier stage.
The auditor shall estimate the risk at the planning stage and during the audit itself.

7.10.2. Identification of key controls

The next stage of a Systems Based Audit is to identify and evaluate controls which exist to lessen the risk
of failing to achieve a particular control objective. Controls are actions and procedures established by the
auditee to ensure that the objectives of a system are met. Even if objectives are met without controls,
reliance cannot be placed on any system which functions without adequate controls.

The key elements of this are:

• deciding on the risks relating to each control objective
• identifying the actual controls which exist in the system
• evaluating the effectiveness of those controls.

For each risk, using the description of the system you prepared, you should then identify the control or
controls which are intended to manage that risk. There are four basic types of Internal Control:
a) preventive - designed to prevent the occurrence of inefficiencies, errors or irregularities. They cannot
guarantee that inefficiencies will not occur, nor errors or irregularities, but they decrease the
probability of their occurrence. Some examples for this are the division of duties and setting up levels
for approval depending of the amount to be paid.
b) detective - designed to detect and correct inefficiencies, errors or irregularities. They may not give
absolute assurance since they operate after an event has occurred or an output has been produced.
Still, they should reduce the risk of undesirable consequences as they enable remedial action to be
taken.
Detective controls are most effective when they form part of a feedback loop in which their results
are monitored and used to improve procedures or preventive controls. Examples include post-
payment checks, stock verification and bank reconciliations.

Chapter 7: IS Audit Process Page 9

c) directive - designed to cause or encourage events necessary to the achievement of objectives.
Examples include clear definition of policies and procedures, the setting of targets, and adequate
training and staffing.
d) corrective - to identify and evaluate alternative courses of action, to implement appropriate measures
to remedy the situation and minimize damage. Examples for these controls are correcting errors
during computer calculation of salaries or correcting errors when entering data in software database
for the quantities of goods on stock in warehouse.

7.10.3. Evaluation of controls

Evaluating controls involves two stages:
1. evaluating the system design to establish the adequacy of control,
The auditor must consider whether the control objectives will be achieved by the identified controls.
This requires the use of audit judgement. This preliminary evaluation of the adequacy of the existing
controls involves:
a) starting at the higher level controls (e.g. planning and risk management) and working down to
lower level controls over individual transactions
b) considering the probability that something will go wrong and the significance (materiality) to the
organization if it does go wrong
c) looking for compensating controls which may enable the control objective to be met
d) looking for unnecessary controls, or ones which cost too much to apply.

2. evaluating the operation of the system to establish the effectiveness of control

This involves testing to ensure that the controls which have been identified have been operated as
intended and that they are achieving the control objective.

The IS auditor must understand the procedures for testing and evaluating information systems controls.
These procedures could include:
a) The use of generalized audit software to survey the contents of data files (including system logs)
b) The use of specialized software to assess the contents of operating system parameter files (or detect
deficiencies in system parameter settings)
c) Flow-charting techniques for documenting automated applications and business process
d) The use of audit reports available in operation systems
e) Documentation review
f) Observation

7.11. Testing Controls

Why Test
Audit testing is a supplement to management’s own testing, and is an essential part of the independent
appraisal of internal control carried out by internal audit. This testing:
 confirms that management has been carrying out checking and testing, and
 detects violations which management may not have identified.

Audit testing can be a very substantial part of the audit process, sometimes taking up to half the time
available for the audit. This means it is important to ensure:
 audit tests are carefully planned
 there is adequate evidence of the testing which has been done
 conclusions can be fully supported by the testing done.

Chapter 7: IS Audit Process Page 10

Types of Testing
There are two main types of testing: test of controls or compliance test and substantive testing.
1. Compliance testing: Compliance tests aim at collecting evidence whether the control procedures are
correctly implemented and are reliable. The objective is to determine whether or not the system of
internal controls operates as it is supposed to operate. Compliance tests are performed to guarantee
the effectiveness of the functioning of internal control measures throughout the control period. The
purpose of compliance tests (i.e. testing the control mechanisms and procedures) is to confirm that
the existing control procedures are correctly applied and are reliable.

The main purpose of compliance tests is not to identify errors, deviations or potential fraud, but to
identify the control procedures, which are not performed correctly. The reasons for the omissions and
deviations are more important to the auditors than the omissions and deviations themselves. The
number of compliance tests carried out depends on two factors:
a. the size of the information flow related to the respective process;
b. the nature of the control measures.
2. Substantive Tests: Substantive testing is done where it has been determined, through compliance
testing that internal controls are weak or inadequate and involves obtaining sufficient evidence to
enable the auditor make a final judgment on whether or not material losses have occurred during
computer data processing. The purpose of this is two-fold:
 to determine if any significant losses have occurred, and
 to contribute towards internal audit’s assessment of the organization’s overall control
environment.

The following are the five types of substantive tests that can be used within a data processing
installation:
a) Tests to identify erroneous processing
b) Tests to assess the quality of data
c) Tests to identify inconsistent data
d) Tests to compare data with physical counts
e) Confirmation of data with outside sources

The results of this work will either:

 provide assurance to management that there has not been any significant losses, to the organisation as
a result of a weak control environment, or
 provide evidence to management that the weak control environment has lead to significant losses,
and thus prompt management to take appropriate action

The objective of substantive testing is to evaluate the adequacy and completeness of outputs rather than
the operation of controls.

7.12. Audit Report

The exact format of an audit report vary by organization. However, the skilled IS auditor should
understand the basic components of an audit report and how it communicates audit findings to
management. The IS auditor should become familiar with the ISACA S7 Reporting and S8 Follow-up
Activities standards.

There is no specific format for an IS audit report, yet the organization’s audit policies and procedures will
dictate the format generally. Audit reports, however, usually will have the following structure and
content:
Chapter 7: IS Audit Process Page 11
1. An introduction to the report, including a statement of audit objectives and scope, the period of
audit coverage, and a general statement on the nature and extent of audit procedures examined during
the audit
2. The IS auditor’s overall conclusion and opinion on the adequacy of controls and procedures
examined during the audit
3. The IS auditor’s reservations or qualifications with respect to the audit. This may state that the
controls or procedures examined were found to be adequate or inadequate. The balance of the audit
report should support that conclusion and the overall evidence gathered during the audit should
provide an even greater level of support.
4. Detailed audit findings and recommendations and the decision to include or not include findings
in an audit report. These should be based on the materiality of the findings and the intended recipient
of the audit report. An audit report directed to the audit committee of the board of directors, for
example, may not include findings that are important to local management but have little control
significance to the overall organization. The decision of what to include in various levels of audit
reports depends upon the guidance provided by upper management.
5. A variety of findings, some of which may be quite material while others are minor in nature
6. Limitations to audit
7. Statement on the IS audit guidelines followed

The ISACA IS Auditing Guideline, Report Content and Form, specifies that the report should include all
significant audit findings. When a finding requires explanation, the IS auditor should describe the
finding, its cause and its risk. When appropriate, the IS auditor should provide the explanation in a
separate document and make reference to it in the report.

7.13. Information Systems Abuse

Information systems abuse may manifest itself in various ways. This may include the following:
1) Destruction of assets: Hardware, software, networking infrastructure, data, facilities, documentation,
files, and so forth may be destroyed.
2) Theft of assets: Illegal removal of hardware, software, data, documentation, or peripherals may take
place.
3) Modification of assets: Unauthorized access and modification of hardware, software, data, or
documentation may affect safeguarding and security of information systems assets. Often
unauthorized modification of assets may lead to unknown incompatibility with other components,
which can seriously compromise functionality of the system.
4) Acts that involve non-compliance with laws and regulations, including the failure of IT systems to
meet applicable laws and regulations
5) Acts that involve non-compliance with the organisation’s agreements and contracts with third parties,
such as banks, suppliers, vendors, service providers and stakeholders
6) Manipulation, falsification, forgery or alteration of records or documents (whether in electronic or
paper form)
7) Privacy violation: Privacy of data relating to a person or an organization may be compromised, which
could have a far-reaching impact, including loss of business.
a. Compromise of confidentiality of customer data.
b. Inappropriate or deliberate leakage of confidential information
8) Disruption of operations: Day-to-day operations of the information systems functions may be
disturbed, and at the extreme this could temporarily disrupt the working of the entire system.
9) Unauthorized use of assets: Hardware, software, data, facilities, documentation, peripherals, or
supplies may be used for unauthorized purposes that may cause losses to the organization. A

Chapter 7: IS Audit Process Page 12

 common example is the unauthorized download of music or a movie, creating a network load and
slowing down network performance for legitimate usage.
10) Fraud is the deliberate misrepresentation of fact for the purpose of depriving the University
permanently of property or legal right to property. Examples include, but are not limited to:
 Corruption: conflicts of interest, bribery, illegal gratuities, and economic extortion.
 Recording of transactions in financial or other records (whether in electronic or paper form) that
lack substance and are known to be false
 Suppression or omission of the effects of transactions from records or documents (whether in
electronic or paper form)
 Cash asset misappropriation: larceny; skimming; check tampering; and fraudulent disbursements,
including billing, payroll, and expense reimbursement schemes.
 Non-cash asset misappropriation: larceny; false asset requisitions; destruction, removal or
inappropriate use of records and equipment; inappropriate disclosure of confidential information;
and document forgery or alteration.
 Fraudulent statements: financial reporting, employment credentials, and external reporting.
 Fraudulent actions by customers, vendors or other parties include bribes or inducements, and
fraudulent (rather than erroneous) invoices from a supplier or information from a customer.
 Activities that could result in any of the above or similar incidents would be considered as threats
to information systems and the auditee’s organization must have safeguarding mechanisms in
place to prevent such occurrences.

7.14. Responsibilities of Management

It is primarily management’s responsibility to prevent and detect irregularities and illegal acts.
Management typically use the following means to obtain reasonable assurance that irregularities and
illegal acts are prevented or detected in a timely manner:
a) Designing, implementing and maintaining internal control systems to prevent and detect irregularities
or illegal acts. Internal controls include transaction review and approval and management review
procedures.
b) Polices and procedures governing employee conduct
c) Compliance validation and monitoring procedures
d) Designing, implementing and maintaining suitable systems for the reporting, recording and
management of incidents relating to irregularities or illegal acts

Management should disclose to the IS auditor its knowledge of any irregularities or illegal acts and areas
affected, whether alleged, suspected or proven, and the action, if any, taken by management.
Where an act of irregularity or illegal nature is alleged, suspected or detected, management should aid the
process of investigation and inquiry.

7.15. Control Self-Assessment (CSA)

Control self-assessment is a technique developed in 1987 that is used by a wide range of organisations
including corporations, charities and government departments, to assess the effectiveness of their risk
management and control processes. There are a number of ways a control self-assessment can be
implemented but its key feature is that, in contrast to a traditional audit, the tests and checks are made by
staff whose normal day-to-day responsibilities are within the business unit being assessed.

Benefits claimed for control self-assessment include creating a clear line of accountability for controls,
reducing the risk of fraud and the creation of an organization with a lower risk profile

Chapter 7: IS Audit Process Page 13

Methodologies

Six basic methodologies for control self-assessment have been defined:

 Internal Control Questionnaire (ICQ) self-audit
 Customised questionnaires
 Control guides
 Interview techniques
 Control model workshops
 Interactive workshops

Chapter 7: IS Audit Process Page 14