INFORMATION SYSTEM AUDITING

PROCESS
Pertemuan 2 – Sesi 3 & 4

Fakultas Ekonomi dan Bisnis

Universitas Padjadaran
UNDERSTANDING IS AUDIT
What is
Assurance?
Definition of Assurance
“Assurance engagement” means an engagement in which a
practitioner expresses a conclusion designed to enhance
the degree of confidence of the intended users other than
the responsible party about the outcome of the evaluation
or measurement of a subject matter against criteria.
What is
Auditing?
Definition of Auditing
Systematic process by which a competent, independent
person objectively obtains and evaluates evidence
regarding assertions about an economic entity or event for
the purpose of forming an opinion about and reporting on
the degree to which the assertion conforms to an
identified set of standards.
What is •
•
Systematic process
by which a competent, independent person
Auditing? • objectively obtains and evaluates evidence
• regarding assertions (the act of stating clearly)
• about an economic entity or event
• for the purpose of forming an opinion about and
reporting on the degree
• to which the assertion conforms to an identified set of
standards.
 • Audits are therefore a type of assurance service.
• However, audits only test the validity of the assertions in financial
Audit vs statements, and are subject to regulation under International
Standards on Auditing. Assurance engagements designed to test
Assurance historical financial information are referred to as assurance reviews
(these are regulated by International Standard on Review
Engagements (ISRE 2400), but assurance reports can be obtained over
many other subject matters and will then be subject to ISAE 3000 or
other individual Standards on Assurance Engagements.
• Consulting services are not considered as assurance because in
consulting services, an accountant generally uses their professional
knowledge to make recommendations for a future event or a
procedure, such as the design of an information system or accounting
control system.
• In contrast, assurance services are designed to test the validity of past
data of the business cycles. Although there is no boundary to what can
be tested by assurance services, professional accountants cannot
accept any engagement for which they do not believe themselves to
be competent.
 Types of Audit

Financial audits —assess the correctness of an organization’s financial statements. A financial audit will
often involve detailed, substantive testing. This kind of audit relates to information integrity and reliability.
Operational audits —evaluate the internal control structure in a given process or area. IS audits of
application controls or logical security systems are examples of operational audits.
Integrated audits —An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial information and
assets’ safeguarding, efficiency and compliance. An integrated audit can be performed by external or
internal auditors and would include compliance tests of internal controls and substantive audit steps.
Administrative audits —assess issues related to the efficiency of operational productivity within an
organization. disebut jg audit compliance
Forensic audits —Traditionally, forensic auditing has been defined as an audit specialized in discovering,
disclosing and following up on frauds and crimes. In recent years, the forensic professional has been called
upon to participate in investigations related to corporate fraud and cybercrime.
Information systems audits —This process collects and evaluates evidence to determine whether the
information systems and related resources adequately safeguard assets, maintain data and system
integrity, provide relevant and reliable information, achieve organizational goals effectively, consume
resources efficiently, and have in effect internal controls that provide reasonable assurance.
 Types of IS Audit prosedur yang disepakati

IS audits may be performed as a review, examination, or an agreed-upon procedures engagement, but

they can be categorised in a number of ways. Although IS audits have focused increasingly on highly
technical areas of IT,
IS audit engagements are also often one of the following:
▸ &
 
 
$  

  %
!
▸ &
 
!
▸ &
% 
"
!
▸ &
 

 

!

 
 
! 

!! %
$  

#
  
 
  

 

controls are assessed for the adequacy of their design and tested for their effectiveness. As
examinations, the performed audit steps and the obtained evidence serve as a basis for audit reports to
include conclusions and opinions.
Although general control audits can be limited to a single-topic area such as change control or disaster
recovery, the audits typically cover several topics reflecting an array of processes or functions. It is
recommended to use the audit report template that is provided in this guidance, especially for
extensive (lengthy) reports that contain audit findings pertaining to different control topics. The length
of a report is dependent upon the number of audit objectives and findings, requirements to explain how
work was performed, complexity of the technology, and information requirements of the readers.
Internal vs
External
Audit
Internal External
Represent the interests of internal Represent the interests of third party
organization stakeholders
Wide range of activities. Traditionally Typically in the form of Financial
focused on compliance. Audit.
Appointed by Management Appointed by third party stakeholders

Less Independent More Independent

The Three line
Internal vs
of Defense
External Audit
The need of IS/IT in Financial Audit

ISA requirements
38.1 Components of Internal Control
The auditor shall obtain an understanding of the information
system, including the related business processes, relevant to
financial reporting, including (amongst others) how the information
system captures events and conditions, other than transactions,
that are significant to the financial statements (ISA 315.18d).

Methodology requirements
38.2 Use of an Information Technology expert
The auditor shall determine whether to use the work of an
Information Technology expert. If an Information Technology
expert is required, the auditor shall apply the requirements for
using an Auditor’s Expert.
The need of IS/IT in Internal Audit

2120.A1 – The internal audit activity must evaluate risk exposures

relating to the organization’s governance, operations, and information
systems

1210.A3 – Internal auditors must have sufficient knowledge of key

information technology risks and controls and available technology-
based audit techniques to perform their assigned work. However, not
all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology
auditing.
 Why we need to understand IS and IS Audit?

Technology has impacted 3 significant areas of the business

environment:
what can be done in business in terms of information and as a IS auditing is an
business enabler. It has become a critical component to business integral part of audit
function because it
processes.
support the auditor’s
the control process. Technology has altered the way in which judgement on the
systems should be controlled. Safeguarding assets, as a control quality of the
objective, remains the same whether it is done manually or is information processed
automated. However, the manner by which the control objective is by system
met is certainly impacted.
the auditing profession in terms of how audits are performed
(information capture and analysis, control concerns) and the
knowledge required to draw conclusions regarding operational or
system effectiveness, efficiency and integrity, and reporting integrity
Overview IT
Control

lingkup infrastruktu/lingkungan IT
IS Auditing

IS auditing is the formal examination, interview and/or

testing of information systems to determine whether:
Information systems are in compliance with applicable
laws, regulations, contracts and/or industry guidelines.
IS data and information have appropriate levels of
confidentiality, integrity and availability.
IS operations are being accomplished efficiently, and
effectiveness targets are being met.
IS AUDIT
( An IS audit focus on determining risks that are relevant to information
assets, and in assessing controls in order to reduce or mitigate these
risks.
( An IS audit may take the form of a "general control review" or an
"application control review". Regarding the protection of information
assets, one purpose of an IS audit is to review and evaluate an
organization's information system's availability, confidentiality, and
integrity by answering questions like:
§ Will the organization's computer systems be available for the
business at all times when required? (Availability)
§ Will the information in the systems be disclosed only to authorized
users? (Confidentiality)
§ Will the information provided by the system always be accurate,
reliable, and timely? (Integrity).
An IS audit is different from a financial statement audit. While a financial
audit's purpose is to evaluate whether an organization is adhering to
standard accounting practices, the purposes of an IT audit are to evaluate
the system's internal control design and effectiveness. This includes, but is
not limited to, efficiency and security protocols, development processes, and
IT governance or oversight.
Installing controls are necessary but not sufficient to provide adequate
security. People responsible for security must consider if the controls are
installed as intended, if they are effective if any breach in security has
occurred and if so, what actions can be done to prevent future breaches.
These inquiries must be answered by independent and unbiased observers.
These observers are performing the task of information systems auditing. In
an Information Systems (IS) environment, an audit is an examination of
information systems, their inputs, outputs, and processing
IS Audit Process

Source: ISACA Audit Guidelines

Simplified IS Audit Plan audit &
gather info.
Activities

Review
internal control

Perform
compliance &
substantive tests

Prepare &
present report
IS AUDIT STANDARDS
IT Assurance Framework
ISACA
ISACA Code of Professional Ethics
ISACA Audit and Assurance Standards
Standards Statements
General Standards
Performance Standards
Reporting Standards

IS Audit and Assurance Guidelines

General Guidelines (2000 series)
Performance Guidelines (2200 series)
Reporting Guidelines (2400 series)

IS Audit and Assurance Tools and Technique

Standards Statemens
INDEPENDENCE

IS audit and assurance professionals should:

"





 
 


  


  
 




 


 

conclusions.
"



fact, but also appear 





"


 

 
to the appropriate parties if


 

 

  
"


 !

  









 
"

- 



 
 




  
 
 



 


independence.
IS AUDIT PLANNING
What is Audit Plan

The auditor is faced with the questions of what to audit, when and how
frequently. The answer to this is to adopt a risk-based approach.
While there are risks inherent to information systems, these risks impact
different systems in different ways. The risk of unavailability even for an hour
can be serious for a billing system at a busy retail store.
The risk of unauthorized modification can be a source of frauds and potential
losses to an online banking system. A batch processing system or a data
consolidation system may be relatively less vulnerable to some of these risks.
The technical environments on which the systems run also may affect the risk
associated with the systems.
The auditor then can draw up a yearly audit plan that lists the audits that will be
performed during the year, as per a schedule, as well as the resources required.
Audit Plan

To plan an audit, the following activities must be completed:

List all processes that considered for the audit.
Evaluate by performing a risk assessment based on
objective criteria.
Define the overall risk.
Construct an audit plan
 Subject, Objective,
and Scope
Audit Subject: The area to be audited
E.g., Information Systems related to Sales

Audit Objective: The purpose of the audit

E.g., Determine whether Sales database is safe against data breaches,
due to inappropriate authentication, access control, or hacking

Audit Scope: Constrains the audit to a specific system,

function, or unit, or period of time
E.g., Scope is constrained to Headquarters for the last year.
Audit Criteria

The standards and benchmarks used to measure and present the subject
matter and against which an IS auditor evaluates the subject matter. Criteria
should be:
(
!#—Free from bias
(
!—Include all relevant factors to reach a conclusion
(
#!— !
!
!
"!
!!
(
 "—Provide for consistent measurement
(
 !

In an attestation engagement, benchmarks against which management’s

written assertion on the subject matter can be evaluated. The practitioner
forms a conclusion concerning subject matter by referring to suitable criteria
Audit Objective Example

Audit Scope Example

Things to prepare in
Audit Planning
Gain an understanding of the business’s mission, objectives,
purpose and processes.
Understand changes in business environment of the auditee.
Review prior work papers.
Identify stated contents, such as policies, standards and required
guidelines, procedures and organization structure.
Perform a risk analysis to help in designing the audit plan.
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to the audit.
Address engagement logistics.
Other thing to
Consider

Reading background material, including industry publications,

annual reports and independent financial analysis reports
Reviewing prior audit reports or IT-related reports (from external
or internal audits, or specific reviews such as regulatory reviews)
Reviewing business and IT long-term strategic plans
Risk Analysis in
Audit Planning

Understand the relationship between risk

and control.
Identify and differentiate risk types and
the controls used to mitigate the risk.
Evaluate risk assessment and
management techniques used by the
organization.
Understand that risk exists as part of the
audit process.
 Understanding business process
and application system
ACCOUNT PROCESS CONTROL TYPE OF APPLICATION
ACTIVITIES CONTROL SYSTEM
ACCOUNT A PROCESS A CONTROL A MANUAL

PROCESS B CONTROL B MANUAL

CONTROL C AUTOMATED APPLICATION A

PROCESS C CONTROL D MANUAL

CONTROL E AUTOMATED APPLICATION A

ACCOUNT B PROCESS D CONTROL F MANUAL

CONTROL G AUTOMATED APPLICATION B

Risk analysis and Identification of control
Application control
risk assessment
Risk Assessment

A risk assessment assists the IS auditor in identifying risk and

threats to an IT environment and IS system, and it helps in the
evaluation of controls.
Risk assessments should identify, quantify and prioritize risk
against criteria for risk acceptance and objectives relevant to the
organization. It supports risk-based audit decision making by
considering variables, such as:
Technical complexity
Level of control procedures in place
Level of financial loss
Risk Based approach
in planning
The steps that can be followed for a risk-based approach to making
an audit plan are:
Inventory the information systems in use in the organization and
categorize them.
Determine which of the systems impact critical functions or
assets, such as money, materials, customers, decision making,
and how close to real time they operate.
Assess what risks affect these systems and the severity of
impact on the business.
Rank the systems based on the above assessment and decide
the audit priority, resources, schedule and frequency.
Audit Program
The audit and assurance program is an early and critical product of the audit
process. It serves as a guide for performing and documenting all the audit steps
and the extent and types of evidential matter reviewed to ensure that audit
objectives are met. Although an audit program does not necessarily follow a
specific set of steps, the IS auditor typically would follow, as a minimum course of
action, sequential program steps to gain an understanding of the entity under
audit, evaluate the control structure and test the internal controls
Audit Program
Objective

The main objectives (value) of developing audit and assurance

programs are:
1. Formally document audit procedures and sequential steps.
2. Create procedures that are repeatable and easy to use by internal
or external auditors who need to perform similar audits.
3. Document the type of testing that will be used (compliance and/or
substantive).
4. Meet general accepted audit standards that relate to the planning
phase in the audit process
Developing Audit
Program

Source: ISACA Audit Guidelines

 Materiality in IS
Audit
For systems and operations not affecting financial transactions, the following are
examples of measures that should be considered to assess materiality:
'
!!&

!
" 
 
"!
&
!
& !

!
'
 !

!
& !

!

$
!$
!
!-party services,
overheads, a combination of these)
'
!!
 !


 &

!

 !
 
$!&
 
#

development costs, cost of publicity required for warnings, rectification costs, health and
!&
 ! 
" &

 !

"!

$ !
!
'
"

  ! ! "
 


'
!"
!

%!!

!



!
'
!"

"!!

!


$
#!&
#!


recorded without values)
'
#
#
!
 
"!

 !

!!
!
'
!

"
!
&
$!


!!"
"!
IS AUDIT PERFORMANCE
Testing Method

Compliance testing: Tests of control designed to obtain

audit evidence on both the effectiveness of the controls
and their operation during the audit period.
Substantive testing: Obtaining audit evidence on the
completeness, accuracy or existence of activities or
transactions during the audit period.
 Testing Procedures

Re- Third party

inquiry observation inspection
performance confirmation

Assurance Level of third party confirmation is higher than inquiry

 Illustration of testing
procedures
Type of controls Inquiry Observation Inspection Re-performance

Approval of
√ - √ -
documents
Compliance to
√ √ √ -
procedures

Comparing data √ - √ √

Reconciliation √ - √ √

Recalculation √ - √ √
Audit Evidence
Evidence is any information used by the IS auditor to determine
whether the entity or data being audited follows the established
criteria or objectives and supports audit conclusions.
Some types of evidence are more reliable than others. Reliability is
determined by:
The independence of the evidence provider
The qualifications of the evidence provider
The objectivity of the evidence
The timing of the evidence
The IS auditor must focus on the objectives of the audit and not on the
nature of the evidence.
Evidence is considered competent when it is both valid and relevant.
Sufficiency of
Evidence
Evidence is sufficient and appropriate when it provides a reasonable basis for
supporting the findings or conclusions within the context of the audit
objectives. If, in professionals’ judgement, the evidence does not meet these
criteria, they should obtain additional evidence or perform additional
procedures to reduce the limitations or uncertainties related to the evidence.
For example, a programme listing may not be adequate evidence until other
evidence has been gathered to verify that it represents the actual programme
used in the production process.

Professionals should obtain evidence that is sufficient and appropriate to

enable a qualified independent party to reperform the tests and obtain the
same results and conclusions
Audit Sampling

Sampling is used when time and cost constrain the

ability to test all transactions or events.
There are two approaches to sampling:
Statistical sampling uses an objective method to
determine the sample size and selection criteria.
Non-statistical sampling uses the IS auditor’s
judgment to determine the sample size and selection
criteria.
Variables vs
Attribute Sampling
Illustration statistical sampling
Using the work of other experts

Using the work of other experts should be considered when there are
constraints that could impair the audit work to be performed, e.g., technical
knowledge required by the nature of the tasks to be performed, scarce audit
resources, time constraints and to address potential independence issues.

The use of other experts should also be considered if this results in a gain in
the quality of the engagement.

IS audit and assurance professionals shall assess, review and evaluate the
work of other experts as part of the engagement, and document the
conclusion on the extent of use and reliance on their work.
IS AUDIT COMUNNICATION
Communication of
Results

The IS auditor communicates the audit results in an exit interview

with management.
During the exit interview, the IS auditor should:
Ensure that the facts presented in the report are correct.
Ensure that the recommendations are realistic and cost-effective,
and if not, seek alternatives through negotiation with auditee
management.
Recommend implementation dates for agreed upon
recommendations.
The IS auditor can present the results of the audit in an executive
summary or a visual presentation
Audit Report

Audit reports present the IS auditor’s findings and

recommendations to management. They are the end product of
the IS audit work.
The report should be balanced, describing not only negative
issues in terms of findings but positive constructive comments
regarding improving processes and controls or effective controls
already in place.
Structure of Audit
Report

The audit report format and structure is dependent on the

organization’s audit policies and procedures, but reports usually have
the following structure and content:
An introduction to the report, including plan, limitations and
methodology
Audit findings,
The IS auditor’s overall conclusion and opinion on the adequacy of
controls and procedures, and the actual potential risk identified as a
consequence of detected deficiencies
ISACA Standard on
Audit Report

According to the standard, the report must include the following

   


  

 
  



  

 

 


  
   
  
 

  


 



 



  


  
 

   


  



 



 



 


  


   

  



  


 


 

 

   
  1
Compliance with
Auditing Standards

Reporting the results of audit engagements requires compliance with

auditing standards, including ISACA IS Audit and Assurance Standards.

In addition to identifying the reporting requirements of professional

auditing standards, the specific reporting requirements of the audit
organisation and any applicable laws or regulations need to be identified.
While reporting requirements that are stipulated by laws or regulations
should take precedence, due diligence and due professional care should
be exercised in meeting IS audit reporting standards and related
guidance.
Key Success Factors
in Audit Report

Informative
Logical Sequence
Persuasive
Sufficient Information
Audit Findings
Audit findings are provided in the audit report when action is required to correct
a deficiency in a process or its related controls. As a general rule, the audit
report includes audit findings for reports with qualified opinions or adverse
opinions. Five key elements, or attributes, need to be addressed when
presenting an audit finding
EXAMPLES – AUDIT FINDING

EXAMPLE
EXAMPLES – AUDIT FINDING (cont)

EXAMPLE
EXAMPLES – AUDIT FINDING (cont)
 Fraud Reporting

Unless restricted by law, the final audit report should include occurrences of
illegal acts or fraud, or audit findings regarding deficiencies in internal control to
prevent or detect fraud. Care must be taken in the presentation of audit evidence
if the case before the court is not yet resolved.

Generally, the audit report should report the possible fraud that the evidence
indicates and to whom the possible illegal or fraudulent activity has been
reported. Internal audit reports may include reporting of any evidence of possible
illegal or fraudulent activity, including matters considered inconsequential.
Audit Documentation

Audit documentation provides the necessary evidence that support the audit
findings and conclusions.
It should be clear, complete, and easily retrievable.
It is the property of the auditing entity and should only be accessible to
authorized personnel.
All audit documentation should be:
Dated
Initialed
Page-numbered
Self-contained
Properly labeled
Kept in custody
Follow Up

Auditing is an ongoing process.

It is the IS auditor’s responsibility to ensure that management has taken
appropriate corrective actions.
A follow-up program should be implemented to manage follow-up activities.
When the follow-up occurs depends on the criticality of the audit findings.
Results of the follow-up should be communicated to the appropriate level of
management.
 Thanks!
“ It is not that I'm so smart. But I
stay with the questions much
longer.

Albert Einstein