Information System Audit Guideline

5/10/2021
Information System Audit Guideline

Draft 0
Internal audit Process

COOPERATIVE BANK OF OROMIA S.C
Table of Contents
Acronyms ............................................................................................................................... i
PART I ................................................................................................................................... 1
INTRODUCTION ..................................................................................................................... 1
1.1 Introduction ......................................................................................................................1

1.1.1 General Remark .....................................................................................................................................2
1.2 Purpose of The IT Audit ......................................................................................................3
1.3 IT Audit process .................................................................................................................4
1.4 IS Audit Standards, Guidelines and Codes of Ethics .............................................................5

1.4.1 ISACA Is Audit and Assurance Standards ...............................................................................................5
1.4.2 ISACA Is Audit and Assurance Guidelines ..............................................................................................6
1.4.3 ISACA Code of Professional Ethics .........................................................................................................6
1.4.4 Information Technology Audit Framework (ITAF) .................................................................................7
1.5 Audit types ........................................................................................................................8
1.6 IS Internal Audit Function ................................................................................................. 10
1.7 Audit Charter: - ........................................................................Error! Bookmark not defined.
1.8 Purpose of this guideline .................................................................................................. 10
1.9 Governing Factors ............................................................................................................ 10
1.10 Scope .............................................................................................................................. 10
1.11 Organizations of this guideline ......................................................................................... 10
1.12 Responsibility .................................................................................................................. 10
PART II ................................................................................................................................ 12
Information System Audit Planning ..................................................................................... 12
2.1. Strategic Audit Planning ................................................................................................... 12
2.2. Risk Based IT Audit Plan Processes ................................................................................... 12
Internal Audit Process Information System Audit Guideline

2.2.1. Understand The Banks Context and Strategy ................................................................ 13
2.2.2. Determining the IT Audit Universe................................................................................ 16
2.2.3. Risk Assess the IT Audit Universe.................................................................................. 18

1.12.1 Risk Assessment process .................................................................................................................19
1.12.2 Risk Ranking ....................................................................................................................................21
1.13 Selecting IT Governance Frameworks for Risk Assessment ................................................ 24
2.2.4. Formalizing the Audit Plan ........................................................................................... 24
PART III ............................................................................................................................... 25
Audit Plan Execution phase.................................................................................................. 25
3.1. Audit Project Management .............................................................................................. 25
3.2. Audit Objectives .............................................................................................................. 26
3.3. Audit Phases .................................................................................................................... 27

3.4. Audit Program ......................................................................................................................................28
3.5. Audit Work Papers ...................................................................Error! Bookmark not defined.
PART IV ............................................................................................................................... 32
Field Work/conducting phase .............................................................................................. 32
4.1. Notifying the Auditees ..................................................................................................... 32
4.2. Hold an initial meeting with the auditees ......................................................................... 32
4.3. Preliminary survey ........................................................................................................... 33
4.4. Internal Control Review ................................................................................................... 33
4.5. Audit Evidence Gathering and Evidence Analysis phase ..................................................... 33
4.5.1. Audit Evidence Gathering ............................................................................................. 33
4.5.2. Audit Evidence Analysis ............................................................................................... 34
4.6. Audit Test ........................................................................................................................ 35
4.7. Advice and Informal Communications .............................................................................. 35

ii

4.8. Audit finding Summary .................................................................................................... 36
4.9. Degrees of Significance of Findings ................................................................................... 36
4.10. Discussion Draft ............................................................................................................... 37
4.11. Exit Conference ................................................................................................................ 37
PART V ................................................................................................................................ 38
5. REPORTING AND FOLLOW-UP .......................................................................................... 38
PART VI ............................................................................................................................... 41
5.1. Documenting Audit Evidence ........................................................................................... 42
Appendices ......................................................................................................................... xliii
iii

Document History
First Draft May 17, 2021
iv

Cooperative Bank of Oromia Information System Audit Guideline
Acronyms
IS: - Information System
IT: - Information Technology.
COBIT: - Control Objectives For Information And Related Technology
IIA: - Institute of internal Audit.
ISACA: - Information Systems Audit and Control Association.
CIA: - Chief Internal Auditor.
CAE: - Chief Audit Executive
GTAG: - Global Technology Audit Guideline.
ITIL: - Information Technology Infrastructure Library
CAATs: -Computer Aided (Assisted) Audit Tools

PART I
1. INTRODUCTION
1.1 Introduction
As a computer technology has advanced, organization, especially financial institution has
become increasingly depends on computerized information system to carry out their
business operations and service delivery.
The continuous development of the Information Technology and data processing power
has changed the way organizations run their business from time to time. Similarly banking
industry have been positively impacted by the revolutions in this area.
As a bank, Cooperative Bank of Oromia shares the impacts of technology advancement
in this area and technological transformations help the bank to improve the efficiency of
business process.
As the effort of fulfilling the mission stated in the banks strategic document,” use of
technology” and to get competitive advantage in the banking industry, the bank has
implemented information system to automate business process, as the need increases
the banks have changed and updated information system to accommodate the bank
business process needs.
Cooperative Bank of Oromia increased the server capacity and changed the core banking
system from OMNI to T24 system. in addition to this, other new system have been
implemented or under process to be live and support the banks business process.
Furthermore, integrations with other system like Fintech company is mandatory to be
competent in this dynamic Banking industry.
However, the change comes with the mirror image called Risk which is associated with
the business and the use of information system. therefore, the risk should be identified
and the required controls should be in place in order to safeguard the business operation’s

increase stakeholders’ value. Usually, organizations establish risk management and

Internal audit sections for the identifications of risk, control implementations and
assurance of the control’s implementations
Information Technology Audit shows certain unique nature over other auditing type, due
to the unique natures of this area and its dynamic nature, the IT Audit Guideline is
prepared specifically to guide the information technology audit activity of the cooperative
Bank of Oromia.
1.1.1 General Remark

Information Systems are defined as the combination of strategic, managerial and
operational activities and related processes involved in gathering, processing, storing,
distributing and using information and its related technologies. Information systems are
distinct from information technology (IT) in that an information system has an IT
component that interacts with the process components. IT is defined as the hardware,
software, communication and other facilities used to input, store, process, transmit and
output data in whatever form. Therefore, the terms “IS” and
“IT” will be used according to these definitions throughout the manual.
a. Management of the Information System Audit function

The IS audit function should be managed and led in a manner that ensures that the
diverse tasks performed and achieved by the audit team will fulfill audit function
objectives, while preserving audit independence and competence. Furthermore,
managing the IS audit function should ensure value-added contributions to senior
management in the efficient management of information System (IS) and achievement of
business objectives.
Note: For additional guidance, see standards 1002 Organizational Independence, 1003
Professional Independence, 1004 Reasonable expectation and 1005 Due Professional
Care, as well as the related guidelines: 2002, 2003, 2004 and 2005.”

b. Information System Audit Resource Management

Information technology is constantly changing. Therefore, it is important that information
System auditors maintain their competency through updates of existing skills and obtain
training directed toward new audit techniques and technological areas.
An IS auditor must be technically competent, having the skills and knowledge necessary
to perform audit work. Further, an information System auditor must maintain technical
competence through appropriate continuing professional education. Skills and knowledge
should be taken into consideration when planning audits and assigning staff to specific
audit assignments.
Preferably, a detailed staff training plan should be drawn up for the year based on the
organization’s direction in terms of technology and related risk that needs to be
addressed. This should be reviewed periodically to ensure that the training efforts and
results are aligned to the direction that the audit organization is taking. Additionally, IS
audit management should also provide the necessary IT resources to properly perform
IS audits of a highly specialized nature (e.g., tools, methodology, work programs).
Note: For additional guidance, see standard 1006 Proficiency and guideline 2006
Proficiency.
1.2 Purpose of The IT Audit

Audits are conducted for a variety of reasons. An audit can help an organization ensure
effective operations, affirm its compliance with various regulations and confirm that the
business is functioning well and is prepared to meet potential challenges. An audit can
also help to gain assurance on the level of protection available for information assets.
Most significantly, an audit can assure stakeholders financial, operational and ethical well-
being of the organization. IS audits support all those outcomes, with a special focus on
the information and related systems upon which most businesses and public institutions
depend for competitive advantage.

IS audit being the formal examination and/or testing of information systems to determine
whether:
• Information systems are in compliance with applicable laws, regulations, contracts
and/or industry guidelines.
• Information systems and related processes comply with governance criteria and
related and relevant policies and procedure.
• IS data and information have appropriate levels of confidentiality, integrity and
availability.
• Information System operations are being accomplished efficiently and
effectiveness targets are being met.
During the audit process, an IS auditor reviews the control framework, gathers evidence,
evaluates the strengths and weaknesses of internal controls based on the evidence and
prepares an audit report that presents weaknesses and recommendations for remediation
in an objective manner to stakeholders.
1.3 IT Audit process

The IT audit process specially comprised of three steps with one more step namely.
• Planning
• Filed work
• Reporting and
• Follow-up
Planning Fieldwork Reporting follow-up
Each phase in the audit process is subsequently divided and further broken down into
more specific steps and activities to plan, to perform, and to report the result of
engagement based on the evidence gathered through audit test. Each step will be
presented in separate chapters of this guideline.
4

1.4 IS Audit Standards, Guidelines and Codes of Ethics

The credibility of any IS audit activity is largely determined by its adherence to commonly
accepted standards. The fundamental elements of IS audit are defined and provided
within ISACA’s IS audit and assurance standards and guidelines. ISACA’s code of
professional ethics guides the professional and personal conduct of ISACA members and
certification holders.
1.4.1 ISACA Is Audit and Assurance Standards

ISACA IS Audit and Assurance Standards define mandatory requirements for IS auditing
and reporting and inform a variety of audiences of critical information, such as the
following:
• For IS auditors, the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics
• For management and other interested parties, the profession’s expectations
concerning the work of practitioners.
• For holders of the CISA designation, their professional performance requirements.
The framework for the ISACA IS Audit and Assurance Standards provides for multiple
levels of documents:
• Standards define mandatory requirements for IS audit and assurance and
reporting.
• Guidelines provide guidance in applying IS audit and assurance standards.
The IS auditor should consider them in determining how to achieve implementation
of the above standards, use professional judgment in their application and be
prepared to justify any departure from the standards.
• Tools and techniques provide examples of processes and IS auditor might follow
in an audit engagement. The tools and techniques documents provide information
on how to meet the standards when completing IS auditing work, but do not set
requirements.
5

ISACA IS Audit and Assurance Standards are divided into three categories
1. General Provide the guiding principles under which the IS assurance profession
operates. They apply to the conduct of all assignments, and deal with an IS
auditor’s ethics, independence, objectivity and due care as well as knowledge,
competency and skill.
2. Performances Deal with the conduct of the assignment, such as planning and
supervision, scoping, risk and materiality, resource mobilization, supervision and
assignment management, audit and assurance evidence, and the exercising of
professional judgment and due care
3. Reporting Standards, Address the types of reports, means of communication and

the information communicated.
1.4.2 ISACA Is Audit and Assurance Guidelines

ISACA IS Audit and Assurance Guidelines provide guidance and additional information
on how to comply with the ISACA IS Audit and Assurance Standards.
An IS auditor should do the following:
• Consider in determining how to implement ISACA Audit and Assurance Standards.
• Use professional judgment in applying to specific audits.
• Be able to justify any departure from the ISACA Audit and Assurance Standards.
1.4.3 ISACA Code of Professional Ethics

ISACA’s Code of Professional Ethics guides the professional and personal conduct of
ISACA members and certification holders.
ISACA members and certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate
standards and procedures for the effective governance and management of

enterprise information systems and technology, including audit, control, security

and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high
standards of conduct and character, and not discrediting their profession or the
Association.
4. Maintain the privacy and confidentiality of information obtained in the course of
their activities unless disclosure is required by legal authority. Such information
shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those
activities they can reasonably expect to complete with the necessary skills,
knowledge and competence.
6. Inform appropriate parties of the results of work performed, including the disclosure
of all significant facts known to them that, if not disclosed, may distort the reporting
of the results.
7. Support the professional education of stakeholders in enhancing their
understanding of the governance and management of enterprise information
systems and technology, including audit, control, security and risk management.
1.4.4 Information Technology Audit Framework (ITAF)

ITAF is a comprehensive and good practice-setting reference model that does the
following:
• Establishes standards that address IS auditor roles and responsibilities;
knowledge and skills; and diligence, conduct and reporting requirements
• Defines terms and concepts specific to IS assurance
• Provides guidance and tools and techniques on the planning, design, conduct and
reporting of IS audit and assurance assignments

1.5 Audit types

An IS Auditor should understand the various types of audits that can be performed,
internally or externally, and the basic audit procedures associated with each. These
include:
a. Information System audit:- An Information System audit is designed to collect
and evaluate evidence to determine whether an information system and related
resources are adequately safeguarded and protected; maintain data and system
integrity and availability; provide relevant and reliable information; achieve
organizational goals effectively; consume resources efficiently; and have, in effect,
internal controls that provide reasonable assurance that business, operational and
control objectives will be met and undesired events will be prevented, or detected
and corrected, in a timely manner.
b. Compliance audit: - A compliance audit includes specific tests of controls to
demonstrate adherence to specific regulatory or industry-specific standards or
practices. These audits often overlap other types of audits but may focus on
particular systems or data.
c. Financial Audit: - A financial audit assesses the accuracy of financial reporting. A
financial audit will often involve detailed, substantive testing, although IS auditors
are increasingly placing more emphasis on a risk- and control-based audit
approach. This kind of audit relates to financial information integrity and reliability.
d. Operational Audit: - An operational audit is designed to evaluate the internal
control structure in a given process or area. An IS audit of application controls or
logical security systems are examples of an operational audit.
e. Integrated Audit: - There are a number of different types of integrated audits, but
typically an integrated audit combines financial and operational audit steps and
may or may not include the use of an IS auditor. An integrated audit is also
performed to assess the overall objectives within an organization, related to
financial information and assets’ safeguarding, efficiency and compliance. An

integrated audit can be performed by external or internal auditors and would

include compliance tests of internal controls and substantive audit steps.
f. Administrative Audit: - An administrative audit is designed to assess issues
related to the efficiency of operational productivity within an organization.”
g. Specialized Audit:- Many different types of specialized audits are conducted.
Within the category of IS audit, specialized reviews may examine areas such as
fraud or services performed by third parties.
h. Third-party service audit A third-party service audit addresses the audit of
outsourced financial and business processes to third-party service providers,
which may operate in different jurisdictions. A third-party service audit issues an
opinion on a service organization’s description of controls through a service
auditor’s report, which then can be used by the IS auditor of the entity that uses
the services of the service organization.
i. Fraud Audit:- A fraud audit is a specialized audit designed to discover fraudulent
activity. Auditors often use specific tools and data analysis techniques to discover
fraud schemes and business irregularities.
j. Forensic Audit: - A forensic audit is a specialized audit to discover, disclose and
follow up on fraud and crime. The primary purpose of such an audit is the
development of evidence for review by law enforcement and judicial authorities.
k. Computer forensic Audit: - A computer forensic audit is an investigation that
includes the analysis of electronic devices such as computers, smartphones, disks,
switches, routers and hubs. An IS auditor possessing the necessary skills can
assist an information security manager or forensic specialist in performing forensic
investigations and conduct an audit of the system to ensure compliance with the
evidence collection procedures for forensic investigation.
l. Functional Audit: - A functional audit provides an independent evaluation of
software products, verifying that its configuration items’ actual functionality and
performance are consistent with the requirement specifications. Specifically, this
audit is held prior to the software delivery or after implementation.
9

1.6 IS Internal Audit Function

The role of the IS internal audit function should be established by an audit charter
approved by the Board of Directors or the Audit Committee. Professionals should have a
clear mandate to perform the IS audit function, which may be indicated in the audit
charter.
1.7 Purpose of this guideline

The purpose of this document to provide guidance on IT/IS audit planning, plan
implementation, Field work and reporting process with accordance with the ISACA IS
audit standards, guideline and IAA Audit Standards
1.8 Governing Factors

This Guideline operates within the parameters provided by
• Cooperative bank internal audit charter.
• Directives and regulations of the NBE, and
• Other laws of and regulations the country.
1.9 Scope
1.10 Organizations of this guideline
This document organized in six parts and the additional important contents are formats in
included under appendices.
I. Part One is Introduction part which establishes the general directions and creates
good understanding about this guideline
II. Part Two is planning this part describes all neccesy steps the auditorus
1.11 Responsibility
IS audit can be a part of internal audit, function as an independent group, or be integrated
within a financial and operational audit to provide IT-related control assurance to the
10

financial or management auditors. Therefore, the audit charter may include IS audit as an
audit support function.
The charter should clearly state management’s responsibility and objectives for, and
delegation of authority to, the IS audit function. The highest level of management. and the
audit committee, if one exists, should approve this charter. Once established, this charter
should be changed only if the change can be and is thoroughly justified.
The responsibility, authority and accountability of the IS audit function should be

appropriately documented in an audit charter or engagement letter. [ISACA]
An audit charter is an overarching document that covers the entire scope of audit activities
in an entity while an engagement letter is more focused on a particular audit exercise that
is sought to be initiated in an organization with a specific objective in mind. If IS audit
services are provided by an external firm, the scope and objectives of these services
should be documented in a formal contract or statement of work between the contracting
organization and the service provider. In either case, the internal audit function should be
independent and report to an audit committee, if one exists, or to the highest management
level such as the board of directors.
Note: For additional guidance, see standard 1001 Audit Charter and guideline 2001 Audit
Charter.”
11

PART II
2. Information System Audit Planning

2.1. Strategic Audit Planning
Managing Internal audit requires strategic planning whilst ensuring that all internal
resources are appropriate and effectively deployed.
2.2. Risk Based IT Audit Plan Processes

The IT Assurance Framework (ITAF) requires that the IS audit and assurance function
shall use an appropriate risk assessment approach and supporting methodology to
develop the overall IS audit plan and determine priorities for the effective allocation of IS
audit resources.
Institute of Internal Audit (IIA) published guidelines called GTAG11 under the umbrella of
Global technology audit specifically for IT audit planning, and later in December 2018,
ISACA published COBITT Design Guide: Designing an Information and Technology
Governance Solution
IT audit Planning involves the following key steps

12

a. Understanding organizations strategies, objectives and business model.

b. Understand the role of the Technology in supporting the business.
c. Identification of risk in technology that able to prevent the Banks from
achieving business objectives
2.2.1. Understand The Banks Context and Strategy

Before developing an audit plan, one should understand the enterprise under review.
Enterprises can have different strategies;
Enterprise strategy is realized by the achievement of (a set) of enterprise goals. Usually,
the goals are structured alongside with the balanced score card.
Key requirement’s
a. Identify the organization strategy and business objectives.
b. Understand the high risk profiles the organizations
c. Identify how the organizations structure its business operations.
d. Understand the IT service Support model
1. The Auditors need to have clear understanding Banks Strategy, the Strategy is
realized by the achievement of (a set) of Organizations goals. Usually, the goals are
structured alongside with the balanced score card.
2. Good understanding of Banks Goals.
3. Understanding of risk profile of the bank: - a risk profile identifies the sort of IT related
risks to which the Banks is currently exposed and indicates which areas of risk is
exciding the risk appetite.
4. Good understanding of current IT and IT related issues
5. Understand Organizational(Bank) uniqueness
a. Importance of the technology based on the business nature
b. Infrastructure deployment and risks associated with the use of technology
6. Operating environment
13

a. Understanding of organizations objectives and structure implemented to

achieve these objectives from the documents such as
a. Mission, vision and value statement
b. Strategic plan
c. Annual business plans
d. Management performance scorecard
e. Stakeholders annual report and supplement
f. Regulatory filings
b. Identification of key process that are critical to objective Success.
c. Understand how each business process differ within the operating units,
support functions and organization wide projects and the relationship between
process and linkage to organization business objectives.
d. Identifications of critical IT infrastructures.
a. Database
b. Operating Systems
c. Network and
d. Physical Environments
e. Identify IT process such as
a. System development life cycle and levels of customization
b. Change management operation
c. Security Activity
f. IT Environmental Factors
a. The degree of system and geographic centralization that is distribution of IT
resource
b. Clear understanding of technology deployed and determine areas to be considered
to be audited this may include database, server, Network and application.
c. Understand the degree of system customization to feet unique nature of the
organization need and increased management complexity that comes with
customization of software.
14

d. Clear understanding of formalized company and standards like IT-Governance

e. Understand proper management of IT activity and risk managements using policies
and standards.
f. Understand the degree of regulation and compliance.
g. Understand the degree of outsourcing and methods of outsourcing, outsourcing
arrangement and related risk.
h. Understanding of the degree of operational standardization and effects on :-
a. reliability and effectiveness.
b. Entire development life cycle
c. Configuration management
d. Change management
e. Incident management
f. Problem management
g. Operation management
h. Security Management
Related frameworks like ITIL on Service Support and delivery with higher
reliability and lower cost.
i. Understand the level of reliance on technology, understand how far the

organizations business need the IT or technology to achieve business objectives.
15

2.2.2. Determining the IT Audit Universe

key Points
1. Dissects the business fundamentals
2. Identify significant applications that support the business operation.
3. Identify critical infrastructure for the significant applications.
4. Understand the role of supporting technologies
5. Identify major project and initiatives
6. Determine realistic audit subject.
ISACA defines a portfolio as a grouping of “objects of interest” (i.e., investment programs,

IT services, IT projects, other IT assets or resources) managed and monitored to optimize
business value.
The information system audit practitioners need to have good understanding of IT

Portfolio and its management.
Universe definition should be done before Risk assessment therefore the auditor should
define and know the audit coverage and type and requires in-depth knowledge of an
organization objectives, business model, and IT service support model.
The Information System Audit Process should consider IT portfolio to much the mix going
to be audited. Therefore, the Auditor in charge of planning the IT auditor should consider
1. The Components Of governance system.
2. Determining the IT Audit Portfolio
3. Define the IT Audit Universe
a. Business model examination
i. Understand operational and support unit functions and business process that links
them together in order to achieve the organization objectives.
ii. Understand the role of supporting technology
16

iii. The information system auditor must see and properly examine the Bank’s annual
plan and strategy document in a way auditor able understand the operational plan
iv. The Information System Auditor must understand centralized and decentralized IT
functions.
v. The auditor must identify centrally managed IT functions that supports the entire
or larger portions of the organization.
vi. Understanding of IT support process
1. The IS audit practitioners need to understand the standardized support
process across the organization operating units which includes: -
a. Service Desk Activities.
b. Change Management.
c. Configuration Management.
d. Release management.
e. Incident Management and
f. Problem Management
2. The IS auditor should understand support service request and lifecycle
management and need to understand if there is a framework like ITIL
(information Technology infrastructure Library)
vii. Understand and identify regulatory requirements and industry standards while
implementing internal controls and risk management practice and the privacy of
personally identifiable Information these includes: -
a. Sarbanes-Oxley Act and Basel II Accord
b. Protection of customer information in credit card industry (GLBA, and
the PCI DSS)
viii. Audit Subject area Definition
a. Personal influence and staffing consideration should be avoided during
the definitions of the IT audit subject area.
b. The IS Auditors should figure out how to divide the environments in the
manner that provides the most efficient and effective audit.
17

c. The goal should be having IT audit plan that focuses on the highest risk
areas where the auditors can give more value
ix. Business Applications audit plan and overs sight should be determined by the
Chief Internal Auditor.
x. Depending on the audit function operates, it can be included in the universe on IT
audit or both.
xi. The audit of business application should be done collaborating with applications
user Process or Team.
xii. The audit practitioners should assess risk per audit subject area.
Information system audit practitioners should understand the business objectives and risks, as well must
identify the role of supporting technologies such as company network, e-mail system, and other encryption
software and other system if exist.
2.2.3. Risk Assess the IT Audit Universe

Key points
1. Develop Processes to identify risk.
2. Assess risk and rank audit subject using IT risk Factors
3. Assess risk and rank subject using business risk factors.
4. Evaluate business process and IT process to identify risk
The IIA defines the Risk as the possibility that an event occur that could affect the
achievement of objectives which is measures in terms of impact and likelihood. Therefore,
it is vitally important for organization to determine the contests of their risk portfolio
periodically and performs activity to manage risk to acceptable level.
18

Risk analysis is the process of estimating the two essential properties of each risk
scenario.
Frequency: - The number of times in a given period (usually in a year) that an event likely
to occur.
Impact: - The business consequence of the scenario.
The IT Audit Practitioners should perform while performing risk assessment
➔ Risk assessment should be conducted after the IT audit universe is determined and
the linkage to the business objectives is properly identified.
Risk assessment should cover the: -
a. Infrastructure
b. Application and
c. Computer operations or components the pose the greatest threat to the
organization ability to ensure system and data availability, reliability,
integrity, and confidentiality.
Auditors need to identify the effectiveness and usefulness of the risk assessment result which should be
predicated on the methodology employed and its proper execution.
1.11.1 Risk Assessment process

The assessment process starts after the Chief Internal Auditor and other Auditors clearly
understand the organization and the use of information system and information
technology.
Steps in risk assessment: -
1. Identify and understand business objectives
The auditor should know business objectives or if the objectives are not clearly
identified the auditors need to perform organizations business objectives
identification activity before performing risk assessment
The risk management process should have five key objectives
a. Risk arising from business strategies and objectives need to be identified
and prioritized
19

b. Management and the Board of Directors need to determine the level of risk
acceptable to the Bank, including the acceptance of risk designed to
accomplish to accomplish the organization strategic plan.
c. Risk mitigation activities need to be designed and implemented to reduce or
otherwise manage risk at levels acceptable to management and Board
d. Ongoing monitoring activity need to be conducted to reassess risk
periodically and the effectiveness of the control to manage risk
e. The Board and the management need to receive periodic risk management
process report. The organizations corporate governance process also
should provide periodic communication of risk, risk strategies to the
stakeholders.
➔ The IT auditors should identify and understand IT Strategy, how it is aligned with the
overall organization level strategies and business objectives.
➔ The Chief Internal Auditor and IT auditors need to get documents that shows the
relationship between the organization strategic plan and the IT Strategy.
➔ The IT Auditor need to determine the IT universe by performing inventory of the system
to determine which IT areas need to be reviewed from a risk and controls perspectives.
Most of the Organizations divided their IT into 3 broad areas.

1. Infrastructure: - which consists of all components that support the flow and
processing of information such as:
a. Server
b. Networking Router, Switches, and 1another network infrastructure
c. Storage technology.
d. Data Centers
e. Antiviruses software
f. Database systems
20

g. And personal computers.

2. Computer Operations: - which consists the process and controls that manages
the computing environments including
a. physical and logical security administration.
b. Backups and recovery
c. Business continuity and disaster recovery planning
d. Service level agreements (SLA)
e. Program change controls
f. Incident Management and problem management and
g. compliance with regulatory organ requirements (NBE) and Laws
3. Applications:- which consists of the software used by the organizations to process
store, and report business transaction including: -
a. Core banking system(T24)
b. ERP
c. Mobile and internet banking system and
d. Other stand-alone applications like Microsoft office
1.11.2 Risk Ranking

1. Risk rating should be assigned after risk assessment is completed.
2. Sub category or areas of Information System such as Infrastructure, Computer
Operation, and Application should be ranked based on the impact they have on
the Bank’s objectives and likelihood of occurrence
There are three approaches to measuring risk and impact:

1. Direct probability estimates and expected loss functions or the application of
probabilities to asset values to determine exposure for loss. This process is the
oldest and not considered a best practice. The insurance industry still uses this
method, but internal auditing does not.
2. Risk factors or the use of observable or measurable factors to measure a
specific risk or class of risks. This process is favored for macro-risk
21

assessments but is not efficient or particularly effective for micro-risk assessments,

except when auditable units are homogeneous throughout the audit universe as in
branch, location, or plant audits.
3. Weighted or sorted matrices or the use of threats versus component matrices to
evaluate consequences and controls. This method is superior for most micro-risk
assessments.
There are three type of risk factors which are commonly in use
1. Subjective risk factors. Measuring risk and its impact requires a combination of
expertise, skills, imagination, and creativity. This emphasis on subjective
measurements is borne out in practice — many auditable units change so much
between audits that prior audit history is of little use. Therefore, an experienced
Auditor’s sound subjective judgment is just as valid as any other method.
2. Objective or historical risk factors. Measuring risk factor trends can be useful in
organizations with stable operations. In all cases, current objective information is
helpful in measuring risk.
3. Calculated risk factors. A subset of objective risk factor data is the class of factors
calculated from historical or objective information. These are often the weakest of all
factors to use because they are derivative factors of risk that is further upstream.
Risk Scaling Methodologies

Likelihood Scale
H 3 High probability that the risk will occur.
M 2 Medium probability that the risk will occur.
L 1 Low probability that the risk will occur.
22

Risk likelihood scaling
Impact Scale (Financial)

H 3 The potential for material impact on the organization’s earnings,
assets, reputation, or stakeholders is high.
M 2 The potential for material impact on the organization’s earnings,
assets, reputation, or stakeholders may be significant to the audit unit,
but moderate in terms of the total organization.
L 1 The potential impact on the organization is minor in size or limited in
scope.
Risk impact Scale model
LEVEL Composite Risk Score Range Recommended Annual Cycle
H 35-54 Every 1 to 2 years
M 20-34 Every 2 to 3 years
L 6-19 Every 3 to 5 years
Table 3. Scoring ranges and corresponding audit or review frequencies
IT Risk
Financial
Quality of internal Change in Confidentialit Score and
Area Impact Availability Integrity
Control Audit unit y Levels
L I L I L I L I L I L I
ERP Application &

General Controls 3 3 2 3 3 3 2 3 2 3 2 3 32 H
IT Infrastructure 3 3 3 3 3 3 3 3 3 3 3 3 36 H
23

1.12 Selecting IT Governance Frameworks for Risk Assessment

• The Chief Internal Auditor is responsible for selecting IT governance frameworks
that most fit the organizations business nature and best for risk assessment.
• The IT Governance frameworks may not fit to the organizations and cover all the
requirements rather will complement each other
• ISO, COBIT ITIL are the most known Governance Framework
2.2.4. Formalizing the Audit Plan
1. Select Audit Subject and bundle into distinct audit subject

2. Determine Audit Cycle and Frequency
3. Add appropriate engagement based on management requests or opportunities for
consulting
4. Validate the plan with, Business Management.
24

PART III
Audit Plan Execution phase

3.1. Audit Project Management
1. The auditor should plan the audit so that the engagement will be performed in an
effective manner.
2. Planning an audit involves establishing the overall audit strategy for the
engagement and developing an audit plan, in order to reduce audit risk to an
acceptably low level. Planning involves the engagement partner and other key
members of the engagement team to benefit from their experience and insight and
to enhance the effectiveness and efficiency of the planning process.
3. The IS Auditor should perform adequate planning in order to perform effective,
efficient and to use resources properly.
4. The information system Auditors must perform Risk assessment for general and
application areas and related service being audited. And then develop audit
program that consists of objectives, and audit procedure to satisfy the audit
objectives.
5. The IS Auditor should gather information evidence, evaluate the strength and
weakness of controls based on the evidence gathered through audit test.
6. The audit management must ensure the availability of adequate audit resource
and schedule for performing the audit, and follow-up reviews on the status of
corrective actions taken by management.
7. The Information System Auditor should include the following key activity in the
process of auditing.
a. Audit scope definition.
b. Audit objectives formulation.
c. Identification of audit criteria.
d. Forming audit procedure or strategy
25

e. Reviewing and evaluating evidence

f. Forming audit conclusion and opinion
g. Discussion with process owners
h. Reporting to management
8. Audit Project Management should include: -
a. Planning the audit engagement: - plan the audit considering project specific
risk.
b. Build the audit plan: - chart out necessary tasks
i. Timeline
ii. Resource usage optimization
iii. Making realistic estimate of the time
iv. Requirements for each task with proper consideration given to the
availability of the auditee.
c. Plan Execution: - running the audit task against the plan.
d. Monitor project activity: - report actual progress against the planed audit
steps to ensure changes are managed proactively and scope is completed
with time and budget.
3.2. Audit Objectives

Determining an audit objective is a critical step in planning an IS audit
1. The audit should have audit objectives which explains the specific activity which
should be audited and this should be depends on the controls objective which
refers to how the internal controls should function.
2. A single audit incorporates several audit objectives which should focuses on the
conformations of the existence of internal controls to minimize the risk and to
ensure the proper functioning controls as expected.
3. An IS auditor must understand how general audit objectives can be translated into
specific IS control objectives.
26

4. IS auditor must identify control objectives and the related controls that address
the objective and determined whether to test these controls for compliance.
For example, an IS auditor’s initial review of an information system should identify
key controls.
5. An IS auditor should identify both key general and application controls after
developing an understanding and documenting the business processes and the
applications/functions that support these processes and general support systems.
Based on that understanding, an IS auditor should identify the key control points.
6. Alternatively, an IS auditor may assist in assessing the integrity of financial
reporting data, referred to as substantive testing, through CAATs(Computer
Assisted Audit Tools ).
3.3. Audit Phases

1. Each phase in the execution of an audit can be divided into key steps to plan,
define, perform and report the results, these steps can be further broken down into
more specific activities,
27

3.4. Audit Program

1. An audit program is a step-by-step set of audit procedures and instructions that
should be performed to complete an audit. It is based on the scope and objective
of the particular assignment.
2. The main purposes of developing an audit program are to accomplish the
following:
• Formal documentation of audit procedures and sequential steps
• Creation of procedures that are repeatable and easy to use by internal or external
audit and assurance professionals who need to perform similar audit.
• Meeting generally accepted audit standards that relate to the planning phase in
the audit process
3. An IS auditor often evaluates IT functions and systems from different perspectives,
such as security (confidentiality, integrity and availability), quality (effectiveness,
efficiency), fiduciary (compliance, reliability), service and capacity.
4. The audit work program is the audit strategy and plan it identifies scope, audit
objectives and audit procedures to obtain sufficient, relevant and reliable evidence
to draw and support audit conclusions and opinions.
1. Determine audit subject:- Identify the area to be audited (e.g., business function,
system, physical location).
2. Define audit objective. Identify the purpose of the audit. For example, an
objective might be to determine whether program source code changes occur in a
well-defined and controlled environment.
3. Set audit scope. Identify the specific systems, function or unit of the organization
to be included in the review. For example, in the previous example (program
changes), the scope statement might limit the review to a single application,
system or a limited period of time.
This step is very important because the IS auditor will need to understand the IT
environment and its components to identify the resources that will be required to
28

conduct a comprehensive evaluation. A clear scope will help the IS auditor define
a set of testing points that is relevant to the audit and further determine the
technical skills and resources necessary to evaluate different technologies and
their components.
4. Perform pre-audit planning.
Conduct a risk assessment, which is critical in setting the final scope of a risk-
based audit. For other types of audits (e.g., compliance), conducting a risk
assessment is a good practice because the results can help the IS audit team to
justify the engagement and further refine the scope and preplanning focus.
a. Interview the auditee to inquire about activities or areas of concern that should
be included in the scope of the engagement.
b. Identify regulatory compliance requirements. Once the subject, objective and
scope are defined, the audit team can identify the resources that will be needed
to perform the audit work. Some of the resources to be defined follow:”
o Technical skills and resources needed”
o Budget and effort needed to complete the engagement
o Locations or facilities to be audited
o Roles and responsibilities among the audit team
o Time frame for the various stages of the audit
o Sources of information for test or review, such as functional
o flowcharts, policies, standards, procedures and prior audit work papers
o Points of contact for administrative and logistics arrangements
o A communication plan that describes to whom to communicate, when, how
often and for what purposes
5. Determine Audit Procedure: - At this stage of the audit process, the audit team
should have and steps for data gathering. enough information to identify and select
the audit approach or strategy and start developing the audit program. Some of
the specific activities in this step are:
29

1. Identify and obtain departmental policies, standards and guidelines for

review
2. Identify any regulatory compliance requirements.
3. Identify a list of individuals to interview.
4. Identify methods (including tools) to perform the evaluation.
5. Develop audit tools and methodology to test and verify controls.
6. Develop test scripts.
7. Identify criteria for evaluating the test.
8. Define a methodology to evaluate that the test and its results are accurate
(and repeatable if necessary).
6. General audit procedures are the basic steps in the performance of an audit and
usually include:
1. Obtaining and recording an understanding of the audit area/subject
2. Creating a risk assessment and general audit plan and schedule
3. Performing detailed audit planning that includes the necessary audit steps
and a breakdown of the work planned across an anticipated timeline.
4. Doing a preliminary review of the audit area/subject
5. Evaluating the audit area/subject
6. Verifying and evaluating the appropriateness of controls designed to meet
control objectives
7. Conducting compliance testing (tests of the implementation of controls and
their consistent application)
8. Conducting substantive testing (confirming the accuracy of information).
9. Reporting (communicating results)
10. Following up in cases where there is an internal audit function Minimum
Skills to Develop an Audit Program.
7. Developing meaningful audit and assurance programs depends on the ability to
customize audit procedures according to the nature of the subject under review
30

and the specific risk that must be addressed in the audit area/organization. The
following skills can assist an IS auditor in creating an audit program:
1. Good understanding of the nature of the enterprise and its industry to
identify and categorize the types of risk and threat
2. Good understanding of the IT space and its components and sufficient
knowledge of the technologies that affect them
3. Understanding of the relationship between business risk and IT risk
4. A basic knowledge of risk assessment practices
5. Understanding of the different testing procedures for evaluating IS controls
and identifying the best method of evaluation.
6. The use of generalized audit software to survey the contents of data files
(e.g., system logs, user access list)
7. The use of specialized software to assess the contents of operating
systems, databases and application parameter files
8. Flowcharting techniques for documenting business processes and
automated controls
9. The use of audit logs and reports to evaluate parameters
10. Review of documentation
11. Inquiry and observations
12. Walk-throughs
13. Reperformance of controls
Note: For additional guidance, see standard 1203 Performance and Supervision and
guideline 2203 Performance and Supervision.
31

PART IV
Field Work/conducting phase

The purpose of the conduct phase of the audit is to gather sufficient, appropriate audit
evidence to reach a conclusion on each of the objectives identified in the planning phase.
Fieldwork is generally regarded as the beginning of the conduct phase and is interpreted
as the point at which the audit team is implementing the audit program, usually on site
with the auditee. Basically, the field work has the following tasks:
4.1. Notifying the Auditees

1. Internal Audit process informs the auditee in writing normally memo or letter, with
terms of reference attached.
2. The auditee is normally the Process or teams they are directly responsible or
accountable for the program, activity, organization or initiative.
3. The initial communication with the auditee is normally drafted by the audit manager
and issued by the Process owner/Chief Internal auditor.
4.2. Hold an initial meeting with the auditees

1. An entrance meeting will normally be held on the first day of fieldwork with the IT
Auditors and the auditee (the senior manager/director/ directly responsible for the
Process under review).
2. During this opening conference meeting include at least the following components
a. Describes the unit or system to be reviewed, the organization, available
resources (personnel, facilities, equipment), and other relevant information
to the auditee.
b. Request access to relevant documents and records.
32

c. Provide a list of the items the auditor is looking for, using common titles.
d. Brief description (for example, a copy of the records management policy,
security Classification procedure, system certification procedure,
organizational chart, and prior audit reports).
e. Determine applicable site safety rules.
f. Make arrangements for the audit resources.
g. Agree on attendance of observers and a guide for the audit team.
h. Request audit team workspace needs with technology services to support
the audit workflow.
4.3. Preliminary survey

1. The IS Auditor gathers relevant Information about the unit going to be audited.
2. The Information System (IS) auditor talks to key personnel and reviews
Procedures, Guidelines, Policies, Reports, files, and other sources of Information.
in order to obtain general overview of the operation.
4.4. Internal Control Review

1. The auditor should reviews the unit's internal control structure, a process which is
usually time-consuming. In doing this, the auditor uses a variety of tools and
techniques to gather and analyze information about the operation.
2. The fieldwork stage should be concluded with a list of significant findings from
which the auditor will prepare a draft of the audit report.
4.5. Audit Evidence Gathering and Evidence Analysis phase

4.5.1. Audit Evidence Gathering
1. To gather Pertinent Information and analyze the evidence regarding to the audit
objective the auditors need to use different ways. Some of the methods for
evidence gatherings are:
I. On-site tours
II. Document review
33

III. Walk-through test

IV. Interview and/or Questionnaire
Auditors always make sure that:
I. Collect data or evidence based on the audit criteria outlined in the audit
work program; and
II. Collect data or evidence which is sufficient and persuasive to logically
support the analysis, observations, conclusions and recommendations
2. Audit evidence is classified as:
a) Physical: by direct observation/ inspection of people, material or events.

b) Testimonial: by enquiry or interviews of auditee staff or third parties, focus
groups.
c) Documentary: by review of documents, reports, manuals.
d) Analytical: by analysis through reasoning, reclassification, computation and
comparison of performance data.
4.5.2. Audit Evidence Analysis

1. The collected evidence has to be Analyzed to examine the characteristics of
data required and evaluate the relevance of the collect data to achieve the
explicit audit objectives and involves the following steps: -
I. Explain what has been observed.
II. Make the connection between cause and effect and
III. Start by revisiting the audit objectives. The analysis of evidence may involve
combining and comparing data from different sources.
34

4.6. Audit Test

Auditors must do the audit test to find relevant audit evidence, the test basically done in
three ways such as.
➢ System review tests: In these test auditors seeks to provide an assessment on
the adequacy of the elements of internal control systems as designed. And answer,
does the appropriate control exist?
➢ Compliance tests: this test help the auditors seek to provide audit evidence that
internal control system and procedures are being applied prescribed. To verify and
answer, did the control operate?
➢ Substantive tests: this test is analytical review of transactions and other
procedures. On completeness, accuracy and validity of the information.
For each audit test completed, a working summery paper should be prepared showing
Purpose of test and reference to audit program, Results of test and Conclusions on the
results.
4.7. Advice and Informal Communications

IS auditors should discuss with the auditee regarding to any findings. The auditee should
offer insights and work with the auditor to determine the best method of resolving the
finding. Usually, these communications are oral. However, in more complex situations,
memos and/or e-mails are written in order to ensure full understanding by the client and
the auditor.
35

4.8. Audit finding Summary

1. Upon completion of the fieldwork, the auditor summarizes the audit findings,
anticipated risks, recommendations and auditee response, necessary for the
audit report draft.
i. Audit findings emerge by a process of comparing what should be with what
is, basically the audit findings have to be educative and helpful something
which:
a) Should have been done but was not
b) Should not have been done but done
c) Was done improperly
ii. Anticipated Risks are the IT auditor’s evaluations of the effects of the findings
in the organization. It implies the probable occurrence/ or the expected risk
manifested due to finding/
iii. Recommendations are based on the IT auditor’s findings and conclusions.
They call for action to correct existing conditions or improve operations.
Recommendations may suggest approaches to correcting or enhancing
performance as a guide for management in achieving desired results.
iv. Auditee Response are the entity response based on the audit finding, the
auditee response must write directly as the auditee said and it is not been
changed by the auditors.
v. Conclusion/Auditors Opinion: -
4.9. Degrees of Significance of Findings

The finding and its impact have to be categorized in such a way:
• Major: Preventing the meeting of a major objective
• Minor: Warranting reporting but not affecting a major objective
• Insignificant: Random human errors not warranting reporting
36

4.10.Discussion Draft
1. At the conclusion of the fieldwork, IT auditors draft the audit finding summary
report.
2. IT Auditors thoroughly reviews the audit working papers and discuses on the draft
before it is presented or send to the client. This discussion draft is submitted to the
client's review before the exit conference,
3. The IT Auditors must schedule and confirm with the auditee regarding to the time
when the exit conference is held.
4.11.Exit Conference
1. When the draft finding summary is submitted to the auditee, IT Auditors must meet
with the client managements to discuss the findings, the risks and the forwarded
recommendation. At this meeting, the client comments on the draft and the IT
Auditors to reach an agreement on the audit findings.
Importance of exit Conference
• Ensure common understanding on the audit findings by both parties,
• Highlight the internal control loopholes detected during the audit to the audit
Client management,
• Urge the auditee management to subsequently send audit rectification report
as per the agreed action plan,
• Advise the auditee not to limit themselves on rectifying reported audit findings
only, rather identify other similar findings that may materialize on the day-to-
day operation in order to able them taking appropriate control measure,
• Acknowledge their cooperation towards the successful accomplishment of the
audit task.
2. After the exit conference the auditee should prepare a detailed action plan for the
findings explain how report findings will be resolved and include an implementation
timetable. The prepared action plan uses by the IT auditors as checklist for the
follow-up audit.
37

PART V
5. REPORTING AND FOLLOW-UP

5.1 Final Report
The review of the final report incorporates:
a) Internal IT auditors prepare a formal draft, taking into account any revisions
resulting from the exit conference and other discussions.
b) Internal Audit Process prints and distributes the final report to the appropriate
process.
5.4 Standards for Audit Reporting

IT audit reporting format is the same as other audit types. IT auditors should follow IIA
Standards for Reporting. The IIA standard explicitly describe what the audit report must
look like, basically the standard enforce:
a) A signed, written report should be issued after the audit examination is completed.
38

b) Auditors should discuss conclusions and recommendations at appropriate levels

of management before issuing final written reports.
c) Reports should be objective, clear, concise, constructive, and timely.
d) Reports should present the purpose, scope, and results of the audit; and, where
appropriate, should contain an expression of the auditor’s opinion.
5.5 Audit Report Content

a) The primary purpose and function of the audit report is to record and communicate
the auditor’s findings and to recommend courses of action to correct weaknesses.
Besides, to persuade the reader to get the importance of the audit work.
b) The report is written in a standard format, as mandated by generally accepted
auditing standards. The Standard requires or allows certain variations in the report,
depending upon the circumstances of the audit work that the auditor engaged in.
The common contents of IT Audit Reports are:
1. Executive summary: provides background information of the audit work to the
reader of the report.
2. Introduction: in this part the report tells the audiences exactly what will be
discussed in the report and/or describes the process or activity being audited in
short.
3. Audit Objective/s: the report explicitly states the goals of the audit, aims and
purpose of the audit, the selected area in the objective, govern the scope of the
audit work.
4. Scope and methodology of the audit: states date of the audit start and
completion and explains the collection of evidence and the analysis techniques
used to attain the audit objectives.
5. Audit findings summary: explain the major findings with their attributes.
Attributes /Features/ of audit findings are:
a) Condition/finding: -state the factual statement, which is found in the
course of the examination (What does exist?).
39

b) Anticipated risk – explain the Impact of the finding.

c) Recommendations: Include the corrective action to be presented to the
auditee, answering what should be done?
d) Auditee’s response: opinion of the client in the finding.
6. Conclusions: Lastly audit conclusions are drawn by IT Auditors after the audit has
been completed by considering the audit findings and audit objectives. These
conclusions should be independent and factual, and not based on assumptions.
5.2 Audit Follow-Up

The review of the Audit follow-up incorporates:
a) The auditee response letter is reviewed, and the actions taken to resolve the audit
report findings may be tested to ensure that the desired results were achieved.
b) All unresolved findings will be discussed in the follow-up report.
c) Internal IT Auditors will perform a follow-up review to verify the resolution of the
report findings within approximately one year of the final report.
5.3 Follow-up Report

The review of the follow-up report will include the followings:
a) List the actions taken by the client to resolve the original report findings.
b) Unresolved findings will appear and include a brief description of the finding, the
original audit recommendation, the client response, and the current condition.
c) A discussion draft of each report with unresolved findings is circulated to the
auditee before the report is issued.
d) Later on, the follow-up review results will be circulated to the original report
recipients and other responsible body as deemed appropriate.
40

PART VI
5. Audit Work Papers
Importance of Working Papers
• Indicates professionalism
• Document’s work performed
• Evidence conditions found
• Supports audit reports
• Facilitates reviews by others
Benefits of Adequate Documentation
• Facilitates planning
• Provides a record of weaknesses, errors and irregularities detected by the audit
• Confirms and supports the auditor’s judgments, opinions and reports
41

• Serves as a source of information for preparing report or answering enquiry’s from

the audited entity or from any other party, and provides a record of work done for
future reference
• Shows compliance with Auditing Standards and Guidelines
• Supports or provides a defense against claims, lawsuits and other legal processes
• Helps and provides evidence of the auditor’s professional development
• Facilitates review, supervision and quality assurance.
5.1. Documenting Audit Evidence

1. IT auditors should adequately document the audit evidence in working papers,
including the basis and extent of the planning, work performed and the finding of
the audit.
2. Working Papers should be Complete, Clear, Logical, well organized, indicate
source and contain substantive material and also that evidence must be annexed
for supervisory review.
3. All audit plans, programs, activities, tests, findings and incidents should be properly
documented in work papers.
4. The format and media of work papers can vary, depending on specific needs of
the department.
5. IT/IS auditors should particularly consider how to maintain the integrity and
protection of audit test evidence in order to preserve its value as substantiation in
support of audit results.
6. Work papers can be considered the bridge or interface between the audit
objectives and the final report.
7. Work papers should provide a seamless transition with traceability and support for
the work performed from objectives to report and from report to objectives. In this
context, the audit report can be viewed as a particular work paper.
42

Appendices
1. Information System Audit Standards
ISACA IS Audit and Assurance Standards are divided into three categories
1.1. General Standards

General standards are the guiding principles under which the IS audit and assurance
professional operates. They apply to the conduct of all assignments and deal with the IS
audit and assurance professional’s ethics, independence, objectivity and due care, as
well as knowledge, competency and skill.
In conducting an IS audit or assurance assignment the IS audit and assurance
professional will be required to assess number of key decisions regarding the subject
matter to be audited and the criteria against which the subject matter is to be assessed.
In doing so, the IS audit and assurance professional will need to consider the benchmarks
against which the assignment is to be conducted (standards) and against which the
subject matter is to be assessed (criteria).
1.2. Performance Standards

Performance standards establish baseline expectations in the conduct of IS audit and
assurance engagements. While these standards apply to IS audit assurance
43

professionals performing any IS audit or assurance assignment, compliance is particularly

important when they are acting in an audit capacity. Accordingly, the performance
standards focus on the IS audit and assurance professional’s attention to the design of
the assurance work, the conduct of the assurance, the evidence required, and the
development of IS audit and assurance findings and conclusions.
1.3. Reporting standards

The reports produced by IS audit and assurance professionals will vary, depending on
the type of assignments performed. Considerations include the levels of assurance,
whether IS audit and assurance professionals were acting in an audit capacity, whether
they are providing direct reports on the subject matter or reporting on assertions regarding
the subject matter, and whether the reports are based on work performed at the review
level or the examination level.
2. IT Governance and COBIT

Simply put, it’s putting structure around how companies align IT strategy with business
strategy, ensuring that companies stay on track to achieve their strategies and goals, and
implementing good ways to measure IT’s performance. It makes sure that all
stakeholders’ interests are taken into account and that processes provide measurable
results.
An IT governance framework should answer some key questions, such as how the
IT department is functioning overall, what key metrics management needs and
what return IT is giving back to the business from the investment it’s making.
2.1. COBIT
A Control Framework called COBIT (Control Objectives for Information and related
Technology) is used as a benchmark on preparing this guideline as it is a globally
accepted Information Technology Control Objectives for IT governance and risk
management.
ii

The business orientation of COBIT consists of linking business goals to IT goals,

providing metrics and maturity models to measure their achievement, and identifying the
associated responsibilities of Business and IT process owners.
COBIT consists of principles, practices, tools and models to help enterprises improve
information and technology management processes. The COBIT framework is an open
standard published and continually updated by the IT Governance Institute and the
Information Systems Audit and Control Association (ISACA) whereby the current
release is COBIT-5.
IT Controls are grouped as Preventive, Detective and Corrective Controls. At the
planning stage it would suffice for the auditor to form a general opinion on the nature and
adequacy of the controls deployed in an IT system and also areas where the Controls are
weak and vulnerable. This forms the basis of the extent, the areas, and the depth of
testing required. It is also essential that these steps are recorded in detail to serve as
pointers.
Preventive
• Detect problems before they occur,
• Monitor both operation and inputs,
• Attempt to predict potential problems before they occur and make adjustments,
• Prevent an error, omission or malicious act from occurring.
Detective
• Use controls that detect and report the occurrence of an error, omission or
malicious act.
Corrective
• Minimize the impact of a threat,
• Resolve problems discovered by detective controls,
• Identify the cause of a problem,
• Correct errors arising from a problem,
• Modify the processing systems to minimize future occurrence of the problem,
iii

It is can also be necessary to sub-divided the above group of IT controls to subcategories

to further streamline the audit planning and the areas of audit, like
• Physical,
• Environmental,
• Logical,
• Application,
• General,
• Infrastructure,
• Management.
3. Substantive Contributions of IT Auditor for Financial Audit

Though FINANCIAL STATEMENT AUDIT and IT AUDIT are different in their purpose
that they stand for, it is evident that IT Auditors can make substantive contributions to a
Financial Audit. This is seen, when the financial audit team plans to rely on one or more
controls, those controls need to be tested for assurance that they are operating effectively
and were throughout the financial period. Today, that usually means is an Automated
Control and, thus, the need for an IT auditor.
At this point it is worth pointing that, when an Automated Control exists whose purpose is
essentially the same as the audit objective for some further audit procedures there will be
a potential to gain efficiencies (e.g., less labor) and effectiveness (e.g., testing at 100
percent), but the IT auditors need to know and understand the effective employment of
Test of Controls (ToC). Besides, if ToC are to be used, the IT auditor must have
sufficient assurance of the effectiveness of IT general controls. Third, the risk-based
standards require that the relevant IT controls were designed properly and implemented.
The IT auditor will need evidence to that effect, which should be in the results of the risk
assessment phase of the financial audit.
iv

Another most important area of contribution of IT auditor to the FINANCIAL STATEMENT

AUDIT is by bringing an accurate assessment of the Risk of Material Misstatement
(RMM), inherent risk associated with IT and control risk.
The Risk Based Approach (RBA) auditing standards describe a process whereby
auditors take a rigorous approach to accurately identifying the level of risk in account
balances, classes of transactions and disclosures. That is, each aspect is evaluated on
its own level of risk with no pre-audit assumptions. Then, for those aspects with a high
RMM, the audit team develops relatively high-powered tests; for moderate risk, moderate
power tests; and for low risks, low tests (i.e., the Risk Based Approach (RBA) standards
require an alignment of risk with the NATURE, TIMING and EXTENT [NTE] of further
audit procedures).
The assumption in the RBA is that the audit team will start with a clean slate each year,
albeit prior audits and other information are key to the audit planning phase.
A process that insulates or ignores the work of IT auditors in the risk assessment phase,
or that overlooks the risk assessment report, clearly violates the spirit of the RBA
standards. Therefore, the IT auditor needs to make every available effort to be engaged
and involved with the audit planning phase, and to bring evidence, conclusions and
information about controls and risks to that process, in order to end up with the optimal
audit plan.

4. Auditing Business Continuity Plan.

Before auditing the bank’s Business Continuity Plan (BCP) or providing
recommendations that can enhance current and future business continuity efforts, it's
important for internal auditors to understand the different components of the Business
Continuity Management (BCM) process.
• Overall, BCM is defined as the development of strategies, plans, and actions to

protect or provide an alternative mode of operation for business processes that, if
interrupted, could seriously damage or cause fatal losses to the Bank.
Hence, BCM processes provide a framework to ensure the bank’s resilience to any event
and to help ensure the continuity of services to its customers. In addition, BCM activities
serve as the basis for plans that can help the bank ensure its long-term survival following
a disruptive event.
Besides, business continuity planning, BCM includes Disaster Recovery and Crisis
Management. The following section is a brief description of each.
4.1. Three Basic Elements of Effective BCM

In essence, a Business Continuity Plan (BCP) addresses the bank’s ability to continue
functioning when normal operations are disrupted. This plan incorporates the policies,
procedures, and practices that allow the bank to recover and resume manual and
automated mission-critical processes after a disaster or crisis. Besides stating the
practices that must be followed in the event of an interruption, some BCPs include other
vi

components such as disaster recovery, emergency response, user recovery, and

contingency and crisis management activities.
Therefore, in a company, business continuity is seen as an all-encompassing term that
covers both disaster recovery and the resumption of business activities.
However, whether a part of the BCP or a separate document, Disaster Recovery Plans
(DRPs) should define the resources, actions, tasks, and data required to manage the
bank’s recovery process in the event of a business interruption. This plan also should
assist the bank when restoring affected business processes by outlining the specific steps
the bank must take in its path toward recovery. Specifically, the DRP is used for the
advanced preparation and planning needed to minimize disaster damages and for
ensuring the availability of the Bank’s critical information systems.
• In terms of IT, DRPs address the recovery of critical technology assets, including
systems, applications, databases, storage devices, and other network resources.
Finally, Crisis Management Plans (CMPs) enables the bank to effectively respond to an
event. These plans are usually created as separate documents that can help the bank to
stabilize a situation before recovery operations take place, as outlined in the DRP or BCP.
In addition, CMPs discuss what systems are in place to quickly gather information about
a disaster and how to interpret the information needed to prevent further confusion and
chaos. Although not all disasters require the use of crisis management tactics, creating
and implementing an effective CMP can help companies provide the necessary support
that staff members need to cope with any stressful situations stemming from a disaster.
4.2. Auditing the BCM Process

Given the wide reach of BCM activities, what is the IT auditor's role in the BCM process?
First, the IT auditor needs to evaluate the bank’s business continuity readiness on a
regular basis and inform management about their evaluation results. Therefore, the
auditor needs to determine whether the BCM process enables the bank to maintain
business operations in the event of a disaster.
vii

In addition, the auditor needs to review the adequacy of the BCP, and DRP if separate,
in ensuring the timely resumption of operations and determine whether these plans reflect
the current operating system environment.
4.3. BCM Audit Components

After the bank has an established BCM process, the IT auditor can review the plans,
controls, and processes that are in place to support it. The audit fieldwork phase looks
similar to any audit project. Key actions that need to be performed during the audit include:
• Conducting interviews with management and other bank stakeholders to
determine their involvement in business continuity planning efforts,
• Reviewing the BCM document to determine its completeness, accuracy, and
timeliness,
• Reviewing supporting BCM documents, such as procedural manuals, guidelines,
and training materials,
• Evaluating the effectiveness of BCP and DR plans by reviewing plan testing results
or the results of actual disasters where the BCP or DRP was used,
o This can be accomplished by asking questions such as: Did it work? What
worked and why? What did not work and why? Was the process improved?
• Analyzing the audit report's conclusion and recommendations.
The IT auditor also should be involved in the recovery period. This is an ideal time to
evaluate the entire BCM process. During the recovery period, the auditor can monitor the
effectiveness of companywide recovery and control operations, recommend
improvements, provide support during recovery activities, and assist in identifying lessons
learned.
Here are some questions the IT auditor can ask during the audit of the BCM process:
• Are the plans up to date?
• Are all critical systems and business functions included in the plan?
• Are the plans documented?
• Have responsibilities been assigned?
• Are the plans based on a risk assessment?
viii

• Are the plans tested and revised based on plan test results?
• Where the plans are stored, and are they stored safely?
• Do plan action steps coordinate with local emergency services?
• Are alternate data center locations known to everyone?
• Is the location of data backups known?
• Does the company have adequate staff to implement the plans?
Answering these questions can help auditors evaluate the effectiveness of companywide
BCM processes and provide recommendations that can help the bank to better address
their business continuity needs.
ix

5. AUDIT REPORTING AND FORMATS

1. Engagement plan
Date: _______________
1. Name of Auditee (Auditable unit): ____________________

2. Previous Audit Status/history
3. 2. Auditable Area: ___________________________________
4. 3. Assigned auditors Name/ Teams members:
1._________________________
2._________________________
5. Objective of the Audit: _________________________
6. Scope and methodology of the Audit________________________
7. Time Required:
EXPECTED NUMBER OF WORKING DAYS TO BE CONSUMED

Total
Pre-
EXPECTED Auditing Reporting Working
Auditing
Days
Duration
No. Days

8. Activity Detailed Plan

Duties and responsibilities to be Period or Time frame Name of IT No. of days
No undertaken Start End Auditor
1 Pre-Audit
2 Filed Work
3 Reporting
Total Working Days
Prepared By Signature Date
------------------------------- ----------------------------- ------------------------
Approved By Signature Date
------------------------------- ----------------------------- ------------------------
xi

2. Engagement Latter Format

Date:_____________
To: __________________ From: Internal Audit Process
Subject: IT Audit Engagement for _________ Quarter
This is to inform you that we have scheduled to undertake IT audit on: ____________
Audit in _____ starting from ________G.C.
To this end IT Auditors, _________, __________ AND ___________, will come to your
office for auditing purpose. Thus, we kindly request your office cooperate to provide them
all necessary documents and necessary assistance pertaining their work and make the
required interview for audit purpose.
Regards,
Manager IT and IS audit Team
xii

3. Document or System access Requesting Format
To: From: Internal Audit Process
Subject:
//Note: This is the format used to request anything which is used for audit purpose
whether system access privilege or documents://
1. Requested By:
Name: -------------------
Signature: ----------------
Date: --------------
2. Required material and its purpose:---------------------------------------
3. Date of request:---------------------------------
4. Date of return:----------------------------------
xiii

4. Audit Reporting Format
Internal Audit Process
1. Cover page-------------------------------------------------------------------------
2. Table of content-------------------------------------------------------------------
3. Introduction, ----------------------------------------------------------------------
4. Objective of the audit-------------------------------------------------------------
5. Scope and methodology of the audit--------------------------------------------
6. Summary of Significant audit findings---------------------------------------
Response/Justificat
Anticipated
No Audit Findings: Recommendation ion of the Auditee
risks
7. Conclusions -----------------------------------------------------------------------------------
xiv

5. Audit Summary Report Format
Audit Summary Report

Sr. Audit Findings Anticipated risks Recommended Auditee’s Justification
No. Corrective Measures on the Audit Findings
Name of IT Auditor: Signature: Date

---------------------- ----------------------- -----------------------
------------------------ ----------------------- -----------------------
Name of employees in the Auditee side attended the meeting
---------------------- ----------------------- -----------------------
------------------------ ----------------------- -----------------------
xv

6. Audit follow-up Progress Summary Format
Sr. Audit Findings Recommended Risk Level based Target date for Rectification
No. corrective on impact & rectification status
measures likelihood
Name of Auditor: Signature:

1. ---------------------- -----------------------
2. ------------------------ -----------------------
xvi

7. Audit follow-up Report Format
Cooperative Bank of Oromia s.c
1. Cover page-------------------------------------------------------------------------
2. Table of content-------------------------------------------------------------------
3. Executive summary---------------------------------------------------------------
3.1 Introduction, ------------------------------------------------------------------
3.2 Objective of the audit---------------------------------------------------------
4. Summary of Significant audit findings:----------------------------------------
Sr. Audit Findings Anticipated risks Recommended Rectification status

No. Corrective Measures
xvii

8. Cover letter format
Cooperative Bank of Oromia s.c
Internal Memo
IAP/ Date: _____________
To: From: Internal Audit Process
Subject: Final Audit Reports
As you know, the Internal Audit Process conducted ________ audit on Information
Technology service Process based on the annual planed on ______ fiscal year.
This is therefore, to let you know that with this letter we enclosed and sent the final audit
report for your immediate rectification.
With regards,
Chief Internal Auditor
xviii

xix

Information System Audit Guideline

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information System Audit Guideline

Uploaded by

Copyright:

Available Formats

5/10/2021

Information System Audit Guideline

Internal audit Process

1.1 Introduction ......................................................................................................................1

1.2 Purpose of The IT Audit ......................................................................................................3

1.3 IT Audit process .................................................................................................................4

1.4 IS Audit Standards, Guidelines and Codes of Ethics .............................................................5

1.5 Audit types ........................................................................................................................8

1.6 IS Internal Audit Function ................................................................................................. 10

1.7 Audit Charter: - ........................................................................Error! Bookmark not defined.

1.8 Purpose of this guideline .................................................................................................. 10

1.9 Governing Factors ............................................................................................................ 10

1.10 Scope .............................................................................................................................. 10

1.11 Organizations of this guideline ......................................................................................... 10

1.12 Responsibility .................................................................................................................. 10

Information System Audit Planning ..................................................................................... 12

2.1. Strategic Audit Planning ................................................................................................... 12

2.2. Risk Based IT Audit Plan Processes ................................................................................... 12

Internal Audit Process Information System Audit Guideline

2.2.2. Determining the IT Audit Universe................................................................................ 16

2.2.3. Risk Assess the IT Audit Universe.................................................................................. 18

1.13 Selecting IT Governance Frameworks for Risk Assessment ................................................ 24

2.2.4. Formalizing the Audit Plan ........................................................................................... 24

PART III ............................................................................................................................... 25

Audit Plan Execution phase.................................................................................................. 25

3.1. Audit Project Management .............................................................................................. 25

3.2. Audit Objectives .............................................................................................................. 26

3.3. Audit Phases .................................................................................................................... 27

3.5. Audit Work Papers ...................................................................Error! Bookmark not defined.

Field Work/conducting phase .............................................................................................. 32

4.1. Notifying the Auditees ..................................................................................................... 32

4.2. Hold an initial meeting with the auditees ......................................................................... 32

4.3. Preliminary survey ........................................................................................................... 33

4.4. Internal Control Review ................................................................................................... 33

4.5. Audit Evidence Gathering and Evidence Analysis phase ..................................................... 33

4.5.1. Audit Evidence Gathering ............................................................................................. 33

4.5.2. Audit Evidence Analysis ............................................................................................... 34

4.6. Audit Test ........................................................................................................................ 35

4.7. Advice and Informal Communications .............................................................................. 35

Internal Audit Process Information System Audit Guideline

4.9. Degrees of Significance of Findings ................................................................................... 36

4.10. Discussion Draft ............................................................................................................... 37

4.11. Exit Conference ................................................................................................................ 37

5. REPORTING AND FOLLOW-UP .......................................................................................... 38

5.1. Documenting Audit Evidence ........................................................................................... 42

Appendices ......................................................................................................................... xliii

Internal Audit Process Information System Audit Guideline

Internal Audit Process Information System Audit Guideline

IS: - Information System

IT: - Information Technology.

COBIT: - Control Objectives For Information And Related Technology

IIA: - Institute of internal Audit.

ISACA: - Information Systems Audit and Control Association.

CIA: - Chief Internal Auditor.

CAE: - Chief Audit Executive

GTAG: - Global Technology Audit Guideline.

ITIL: - Information Technology Infrastructure Library

CAATs: -Computer Aided (Assisted) Audit Tools

Internal Audit Process Information System Audit Guideline

Internal Audit Process Information System Audit Guideline

increase stakeholders’ value. Usually, organizations establish risk management and

1.1.1 General Remark

a. Management of the Information System Audit function