Professional Documents
Culture Documents
PROFESSIONAL CERTIFICATIONS
Certified Information Systems Auditor (CISA)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
Certified Information Systems Security Professional (CISSP)
Certified Information Security Manager (CISM)
Certified Internal Controls Auditor (CICA)
Forensics Certified Public Accountant (FCPA)
Certified Fraud Examiner (CFE)
Certified Professional Internal Auditor (CPIA)
Certified Information Technology Professional (CITP)
BASIC CONCEPTS
Auditor's Independence: Independence is the keystone upon which the respect and dignity of a profession is
based. Independence implies that the judgement of a person is not subordinate to the wishes or directions of
another person who might have engaged him or to his own self interest.
True and Fair: The phrase “true and fair” in the auditor’s report signifies that the auditor is required to
express his opinion as to whether the state of affairs and the results of the entity as ascertained by him in the
course of his audit are truly and fairly represented.
Audit Evidence: Information used by the auditor in arriving at the conclusions on which the auditor’s opinion
is based.
Required Knowledge
IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
IS auditing practices and techniques
Techniques to gather information and preserve evidence (e.g. observation, inquiry, interview, computer-
assisted audit techniques (CAATs), electronic media)
The evidence life cycle (e.g., the collection, protection, chain of custody)
1
Control objectives and control related to IS (e.g., COBIT)
Risk assessment in an audit context
Audit planning and management techniques
Reporting and communication techniques (e.g. facilitation, negotiation, conflict resolution)
Control self assessment (CSA)
Continuous audit techniques
Types of IT audits
Different taxonomies have been proposed depending on authorities to distinguish the various types of IT
audits.
The spectrum of IT audits can generally be put in five categories of audits:
Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient,
and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at
all levels of a system's activity. System and process assurance audits form a subtype, focussing on business
process-centric business IT systems. Such audits have the objective to assist financial auditors.
Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure
timely, accurate, and efficient processing of applications under normal and potentially disruptive
conditions.
Systems Development: An audit to verify that the systems under development meet the objectives of the
organization, and to ensure that the systems are developed in accordance with generally accepted standards
for systems development.
Management of IT and Enterprise Architecture: An audit to verify that IT management has developed
an organizational structure and procedures to ensure a controlled and efficient environment for information
processing.
Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that
telecommunications controls are in place on the client, server, and on the network connecting the clients
and servers.
Forensic Audit involves the use of auditing and investigative skills to situations that may involve legal
implications. Forensic audits may be required in the following instances:
Fraud investigations involving misappropriation of funds, money laundering, tax evasion and insider
trading
Quantification of loss in case of insurance claims
Determination of the profit share of business partners in case of a dispute
Determination of claims of professional negligence relating to the accountancy profession
Findings of a forensic audit could be used in the court of law as expert opinion on financial matters.
STAKEHOLDERS
The various stakeholders interested in audits are:-
Professional associations and organizations, and government entities recognized the need for IT control
and auditability. Investors and shareholders: These people own the organisation but, in many cases, will
not be closely involved in its day to day running.
Company accountants/Finance Directors: These people are essentially in charge of the finances of the
organisation being audited and, for them, going through an audit is mostly about confidence and peace of
mind. Having an independent expert poring over your figures might be a little bit uncomfortable at times,
but the reward is in making sure that your numbers are true and fair.
Financial analysts: These people help to determine what an organisation’s shares are worth and,
therefore, its value as a whole. They do so by independently analysing and commenting on its financial
position as well as making predictions about its future success. For financial analysts, audited accounts
are a vital tool, since they provide unbiased and independently checked information on which to base their
work.
Regulators: These independent organisations are tasked with overseeing wide range of industries to
ensure individual firms are operating fairly and legally. They may make use of audited accounts as part of
the ongoing monitoring of each firm or to help with more specific investigations.
2
Other stakeholders: Depending on the organisation being audited, the outcome of an audit process may
be interesting to a whole range of other stakeholders, such as politicians, journalists and the general public.
Tasks of an IS auditor
Develop and implement a risk based IS audit strategy for the organization in compliance with IS audit
standards, guidelines and best practices
Plan specific audits to ensure that IT and business systems are protected and controlled
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit
objectives
Communicate emerging issues, potential risks and audit results to key stakeholders
Advise on the implementation of risk management and control practices within the organization while
maintaining independence
Organizational Requirements
• The role of the IS audit function should be established by an audit charter.
• IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit
function
• This charter should state clearly management's responsibility and objectives for, and delegation of authority
to, the IS audit function
• This document should outline the overall authority, scope and responsibilities of the audit function
• The highest level of management and the audit committee, if available, should approve this charter. Once
established, this charter should be changed only if the change can be and is thoroughly justified
Rights of IS Auditors
1. The IS auditor has the right to have an engagement letter or audit charter specifying the scope, objective
and terms of reference of the audit
3
2. The IS auditor has the right to access appropriate information and resources to effectively and efficiently
complete the audit
3. The IS auditor has the right to believe that management has established appropriate controls to prevent,
deter and deter fraud unless the tests and evaluation carried on by the IS auditor prove otherwise
4. The IS auditor has the right to call for such information and explanations deemed necessary and
appropriate to permit objective completion of the audit
5. The IS auditor has the right to retain the working files, documents, audit evidences, etc., obtained during
the course of the audit, in support of his/her conclusions and to use the same as the basis of reference in
case of any issues or contradictions
Limitations
1. The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be
expected to have the expertise of the person whose primary responsibility is detecting and investigating
fraud
2. The IS auditor should be alert to the significant risks that might affect objectives, operations or resources.
However, assurance procedures alone, even when performed with due professional care, do not guarantee
that all significant risks will be identified
3. Where the IS auditor is not able to obtain required information, is restricted from accessing resources or
is in any way restrained from carrying out his/her function, the IS auditor should escalate his/her
concerns to appropriate senior levels in management. The IS auditor should conduct the audit in a
professional manner
4. Where the IS auditor has utilized the services of an external expert, the IS auditor should evaluate the
usefulness and sufficiency of work performed by such external expert and also perform appropriate
testing to confirm the findings of the external expert
5. The IS auditor is not responsible for implementing corrective actions
IT Audit Program
The following are basic steps in performing the Information Technology Audit Process:
1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up
6. Reports
An effectively planned and developed IT audit program should:
Identify areas of greatest IT risk exposure to the organization.
Promote the confidentiality, integrity and availability of information systems.
Determine the effectiveness of management's planning and oversight of IT activities.
Evaluate the adequacy of operating processes and internal controls.
Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control
procedures.
Recommend appropriate corrective action to address deficient internal controls.
Follow-up with management to ensure that recommended corrective actions have been effectively
implemented.
Audit Documentation
In addition to the audit plan, the documentation for an IS audit includes:
A description or diagram of the IS environment
Audit programs
Minutes of meetings
Audit evidence
Findings
Conclusions and recommendations
4
Any report issued as a result of the audit work
Supervisory review comments, if any
Audit Evidence
Audit evidence is any information used by the auditor to determine whether the information being audited is
stated in accordance with established criteria. All the information used by the auditor in arriving at the
conclusions on which the audit opinion is based. The determinants of persuasiveness of evidence are:
Competence – the degree to which evidence can be considered trustworthy.
Sufficiency – amount of evidence is enough to form a reasonable opinion.
Relevance – must pertain to the audit objective being tested.
Independence – evidence from outside the client is a stronger form of evidence
Effectiveness of client internal controls – good internal controls can mean better information.
Auditor direct knowledge – auditor determinations are stronger that client comments.
Qualifications – individual is a qualified source.
Degree of objectivity – objective evidence is stronger than subjective evidence.
Timeliness – balance sheet account evidence is better when it is collected around the date of the
financial statement. Income statement evidence should sample entire period.
Management Response
In response to the audit results, management should commit to a program of corrective action, with dates by
which the action plan will be implemented.
Although management is responsible for deciding the appropriate actions to be taken in response to the
reported audit findings, the IS auditor is responsible for assessing management actions for timely resolution of
the audit findings.
However, senior management may decide to assume the risk of not correcting the reported conditions because
of cost or other considerations.
The IS auditor should follow up to determine whether such a decision has been made.
Computer fraud is the act of using a computer to take or alter electronic data, or to gain unlawful use of a
computer or system.
Types of computer fraud include:
Distributing hoax emails
Accessing unauthorized computers
Engaging in data mining via spyware and malware
Hacking into computer systems to illegally access personal information.
Sending computer viruses or worms with the intent to destroy or ruin another party's computer or system.
Phishing, social engineering, viruses, and DDoS attacks are fairly well-known tactics used to disrupt service or
gain access to another's network, but this list is not inclusive.
CAT 1
1. Explain the different type of reports which are produced by IS auditors. [6 Mks]
2. Give any six Emerging Issues in Information Systems Audit. [6 Mks]
3. Explain the steps followed in auditing financial information systems [6 Mks]
4. Give six Audit functions which specialized software may perform [6 Mks]
5. Explain the impact of an IT environment on the audit process. [6 Mks]