Auditing System

Acquisition, Development,
and Implementation
Audit and IS Audit
An audit is systematic and repeatable process whereby a
competent and independent professional evaluates one or more
controls, interviews personnel, obtains and analyzes evidence,
and develops a written opinion on the effectiveness of the
control(s).

An IS audit, then, is an audit of information systems and the

processes that support them. An IS auditor interviews personnel,
gathers and analyzes evidence, and delivers a written opinion on
the effectiveness of controls implemented in information systems.
Audit Process
1. Planning
2. Compliance Testing
3. Substantive Testing
4. Reporting
1 | Planning
• Purpose
• Scope
• Risk analysis
• Audit procedures
• Resources
• Schedule
Audit objectives
Audit objectives are the specific goals for an audit.

Could be:
• To determine whether controls exist and are effective.
• As required by regulations, compliance, or legal obligations.
• As the result of a serious incident or event.
Types of Audits
• Operational audit
• Financial audit
• IS audit
• Compliance audit
• Fraud audit
• Service provider audit
Internal vs External Audit
• Internal audit is performed by personnel employed by the
auditee organization. Internal auditors typically still have a
degree of independence through their locations on the org
chart.

• External audit is performed by auditors who are not employees

of the auditee. Typically, external auditors are employees of an
audit firm.
2 | Compliance testing
This type of testing is used to determine whether control
procedures have been properly designed and implemented and
are operating properly.

For example, an IS auditor may examine business processes, such

as the systems development life cycle, change management, or
configuration management, to determine whether information
systems environments are properly managed.
3 | Substantive testing
This type of testing is used to determine the accuracy and
integrity of transactions that flow through processes and
information systems.

For instance, an IS auditor may create test transactions and trace

them through the environment, examining them at each stage
until their completion.
Audit Evidence
Evidence is the information collected by the auditor during the
course of the audit project. The contents and reliability of the
evidence obtained are used by the IS auditor to reach conclusions
on the effectiveness of controls and control objectives. Includes:
• Observations
• Correspondence
• Independent confirmations
• Business records
• Policies and procedures
Auditor
• Independence
• Competence / Qualifications
• Objectivity
• Timing
Gathering of Evidence
• Organizational chart review
• Review of department and project charters
• Review of third-party contracts and service level agreements
(SLAs)
• Review of IS policies and procedures
• Review of risk register (also known as a risk ledger)
• Review of incident log
• Review of IS standards
• Review of IS system documentation
Gathering of Evidence
• Personnel interviews (walkthroughs)
• Re-performance
• Passive observation
Sampling
• Statistical sampling
• Judgmental sampling (aka nonstatistical sampling)
• Attribute sampling
• Variable sampling
• Stop-or-go sampling
• Discovery sampling
• Stratified sampling
4 | Reporting
An audit report is a written report that describes the entire audit
project, including audit objectives, scope, controls evaluated,
opinions on the effectiveness and integrity of those controls, and
recommendations for improvement.
Audit Risk and Materiality
• Control risk
• Detection risk
• Inherent risk
• Audit risk
• Sampling risk

Materiality in an IS audit occurs when a control deficiency (or

combination of related control deficiencies) makes it possible for
serious errors, omissions, irregularities, or illegal acts to occur as a
result of the deficiency or deficiencies.
Fraud vs. Irregularity
• Fraud is defined as an intentional deception made for personal
gain or to damage another party.
• An irregularity is an event that represents actions contrary to
accepted practices or policy.
Continuous Auditing
A continuous audit approach is where samples are obtained
automatically over long periods instead of just during audit
engagements.

Includes:
• Frequent notifications to auditors and control owners on audit results
• Triggers to notify auditors and control owners of control failures and
other exceptions
Scope of IS Audit
• Audit of SDLC
• Requirements
• Feasibility Study
• Design
• Software acquisition
• Development
• Testing
• Implementation
• Post-implementation

• Audit of Change Management

Scope of IS Audit
• Auditing Configuration Management
• Auditing Third-Party Risk Management
• Auditing IT Infrastructure and Operations
• Hardware
• Operating Systems
• File Systems
• DBMS
• Network Infrastructure
• Network operating controls
• Auditing IT Operations
Scope of IS Audit
• Auditing Problem Management
• Auditing Monitoring Operations
• Auditing Procurement
• Auditing Business Continuity Planning
• Auditing Disaster Recovery Plans