Is Audit Process-Agustus 2020

CHAPTER 1
The IS Audit Process
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 1
I - INTRODUCTION
1. Organization of the IS Audit Function
• Audit charter (or engagement letter)

– Stating management’s responsibility and objectives for, and
delegation of authority to, the IS audit function
– Outlining the overall authority, scope and responsibilities of the
audit function
• Approval of the audit charter
• Change in the audit charter
I - INTRODUCTION
2. IS Audit Resource Management
• Limited number of IS auditors

• Maintenance of their technical competence
• Assignment of audit staff
I - INTRODUCTION
3. Audit Planning
• Audit planning
– Short-term planning
– Long-term planning
– Things to consider
• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
• Individual audit planning

– Understanding of overall environment
• Business practices and functions
• Information systems and technology
I - INTRODUCTION
3. Audit Planning
Audit Planning Steps

• Gain an understanding of the business’s mission, objectives, purpose and
processes.
• Identify stated contents (policies, standards, guidelines, procedures, and
organization structure).
• Evaluate risk assessment and privacy impact analysis.
• Perform a risk analysis.
• Conduct an internal control review.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to audit and address engagement logistics.
I - INTRODUCTION
4. Effect of Laws and Regulations on IS Audit Planning
Regulatory requirements
– Establishment
– Organization
– Responsibilities
– Correlation to financial, operational and IT audit
functions
I - INTRODUCTION
4. Effect of Laws and Regulations on IS Audit Planning
Steps to determine compliance with external

requirements:
– Identify external requirements
– Document pertinent laws and regulations
– Assess whether management and the IS function have considered
the relevant external requirements
– Review internal IS department documents that address adherence
to applicable laws
– Determine adherence to established procedures
II - ISACA IS Auditing Standards and Guidelines
1. ISACA Code of Professional Ethics
The Association’s Code of Professional Ethics

provides guidance for the professional and personal
conduct of members of the Association and/or
holders of the CISA and CISM designation
Framework for the ISACA IS Auditing

Standards
– Standards
– Guidelines
– Procedures
2. ISACA IS Auditing Standards
Objectives of ISACA IS Auditing Standards
• Inform management and other interested parties of the

profession’s expectations concerning the work of audit
practitioners
• Inform information system auditors of the minimum level of
acceptable performance required to meet professional
responsibilities set out in the ISACA Code of Professional
Ethics
IS Auditing Standards
1. Audit charter 7. Reporting
2. Independence 8. Follow-up activities
3. Ethics and Standards 9. Irregularities and illegal acts
4. Competence 10. IT governance
5. Planning 11. Use of risk assessment in audit
planning
6. Performance of audit work
1. Audit charter
 Purpose, responsibility, authority and accountability
 Approval
2. Independence
 Professional independence
 Organizational independence
3. Professional Ethics and Standards

 Code of Professional Ethics
 Due professional care
4. Competence
 Skills and knowledge
 Continuing professional education

5. Planning
• Plan IS audit coverage
• Develop and document a risk-based audit
Approach
• Develop and document an audit plan
• Develop an audit program and procedures
6. Performance of audit work

 Supervision
 Evidence
 Documentation
7. Reporting
 Identify the organization, intended recipients and any
restrictions
 State the scope, objectives, coverage and nature of audit work
performed
 State the findings, conclusions and recommendations and
limitations
 Justify the results reported
 Be signed, dated and distributed according to the audit charter
8. Follow-up Activities
 Review previous conclusions and recommendations
 Review previous relevant findings
 Determine whether appropriate actions have been
taken by management in a timely manner
9. Irregularities and Illegal Acts

 Consider the risk of irregularities and illegal acts
 Maintain an attitude of professional skepticism
 Obtain an understanding of the organization and its
environment
 Consider unusual or unexpected relationships
 Test the appropriateness of internal control
 Assess any misstatement
9. Irregularities and Illegal Acts (Cont.)

 Obtain written representations from management
 Have knowledge of any allegations of irregularities or illegal
acts
 Communicate material irregularities/illegal acts
 Consider appropriate action in case of inability to continue
performing the audit
 Document irregularity/illegal act related communications,
planning, results, evaluations and conclusions
10. IT Governance
 Review and assess the IS function’s alignment with the
organization’s mission, vision, values, objectives and strategies.
 Review the IS function’s statement about the performance and
assess its achievement
 Review and assess the effectiveness of IS resource and
performance management processes
10. IT Governance (Cont)

 Review and assess compliance with legal, environmental and
information quality, and fiduciary and security requirements
 Use a risk-based approach to evaluate the IS function
 Review and assess the organization’s control environment
 Review and assess the risks that may adversely affect the IS
environment.
11. Use of Risk Assessment in Audit Planning

 Use a risk assessment technique in developing the
overall IS audit plan
 Identify and assess relevant risks in planning individual

reviews
4. ISACA IS Auditing Procedures
Procedures developed by the ISACA Standards Board provide

examples of possible processes an IS auditor might follow in an
audit engagement.
– Procedures developed by the ISACA Standards Board

provide examples
– The IS auditor should apply their own professional
judgment to the specific circumstances
5. Relationship among Standards, Guidelines
and Procedures
– Standards
Must be followed by IS auditors
– Guidelines
Provide assistance on how to implement the standards
– Procedures
Provide examples for implementing the standards
III – Risk Analysis
i. Definition of Risk
The potential that a given threat will exploit vulnerabilities

of an asset or group of assets to cause loss or
damage to the assets. The impact or relative severity
of the risk is proportional to the business value of the
loss/damage and to the estimated frequency of the
threat.
ii. Elements of Risk

– Threats to, and vulnerabilities of, processes and/or assets
(including both physical and information assets)
– Impact on assets based on threats and vulnerabilities
– Probabilities of threats (combination of the likelihood and
frequency of occurrence)
iii.Risk and Audit Planning

Risk analysis is part of the audit planning and it
helps identify risks and vulnerabilities so the
auditor can determine the controls needed to
mitigate those risks.
iv. Risk Management Process

– Risk assessment
– Risk mitigation
– Risk reevaluation
IV – Internal Controls
Policies, procedures, practices and

organizational structures implemented to
reduce risks
Classification of Internal Controls
– Preventive controls
– Detective controls
– Corrective controls
1. Internal Control Objectives
Internal Control System

– Internal accounting controls
– Operational controls
– Administrative controls
1. Internal Control Objectives
Internal Control Objectives

• Safeguarding of IT assets
• Compliance to corporate policies or legal requirements
• Input
• Authorization
• Accuracy and completeness of processing of data input/transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations
• Change management process for IT and related systems
2. IS Control Objectives
Internal control objectives apply to all areas, whether

manual or automated. Therefore, conceptually, control
objectives in an IS environment remain unchanged
from those of a manual environment
2. IS Control Objectives
•Safeguarding assets
•Assuring the integrity of general operating system
environments
•Assuring the integrity of sensitive and critical application
system environments through:
– Authorization of the input
– Accuracy and completeness of processing of transactions
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
2. IS Control Objectives (Cont)
• Ensuring the efficiency and effectiveness of operations

• Complying with requirements, policies and procedures, and
applicable laws
• Developing business continuity and disaster recovery plans
• Developing an incident response plan
3. CobiT
– A framework with 34 high-level control objectives

 Planning and organization
 Acquisition and implementation
 Delivery and support
 Monitoring and evaluation
– Use of 36 major IT related standards and regulations
4. General Control Procedures
Apply to all areas of an organization and include

policies and practices established by management to
provide reasonable assurance that specific
objectives will be achieved.
4. General Control Procedures
• Internal accounting controls directed at accounting operations

• Operational controls concerned with the day-to-day operations
• Administrative controls concerned with operational efficiency and
adherence to management policies
• Organizational logical security policies and procedures
• Overall policies for the design and use of documents and records
• Procedures and features to ensure authorized access to assets
• Physical security policies for all data centers
5. IS Control Procedures
• Strategy and direction
• General organization and management
• Access to data and programs
• Systems development methodologies and change control
• Data processing operations
• Systems programming and technical support functions
• Data processing quality assurance procedures
• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration
V – Performing an IS Audit
Definition of Auditing
Systematic process by which a competent, independent person objectively
obtains and evaluates evidence regarding assertions about an economic
entity or event for the purpose of forming an opinion about and reporting
on the degree to which the assertion conforms to an identified set of
standards.
Definition of IS Auditing
Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated
processes and the interfaces between them.
1. Classification of Audits
– Financial audits
– Operational audits
– Integrated audits
– Administrative audits
– Information systems audits
– Specialized audits
– Forensic audits
2. Audit Programs
– Based on the scope and the objective of the particular

assignment
– IS auditor’s perspectives
• Security (confidentiality, integrity and availability)
• Quality (effectiveness, efficiency)
• Fiduciary (compliance, reliability)
• Service and Capacity
2. Audit Programs
General audit procedures

– Understanding of the audit area/subject
– Risk assessment and general audit plan
– Detailed audit planning
– Preliminary review of audit area/subject
– Evaluating audit area/subject
– Compliance testing
– Substantive testing
– Reporting(communicating results)
– Follow-up
2. Audit Programs
Procedures for testing & evaluating IS controls

– Use of generalized audit software to survey the contents of data
files
– Use of specialized software to assess the contents of operating
system parameter files
– Flow-charting techniques for documenting automated applications
and business process
– Use of audit reports available in operation systems
– Documentation review
– Observation
3. Audit Methodology
– A set of documented audit procedures designed to achieve

planned audit objectives
– Composed of
• Statement of scope
• Statement of audit objectives
• Statement of work programs
– Set up and approved by the audit management
– Communicated to all audit staff
Typical audit phases

1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the
organization
Typical audit phases (Cont)

4. Pre-audit planning
 Identify technical skills and resources needed
 Identify the sources of information for test or review
 Identify locations or facilities to be audited

5. Audit procedures and steps for data gathering
 Identify and select the audit approach
 Identify a list of individuals to interview
 Identify and obtain departmental policies, standards and
guidelines
 Develop audit tools and methodology

6. Procedures for evaluating test/review result
7. Procedures for communication
8. Audit report preparation
• Identify follow-up review procedures
• Identify procedures to evaluate/test operational efficiency and
effectiveness
• Identify procedures to test controls
• Review and evaluate the soundness of documents, policies and
procedures
Workpapers (WPs)
What are documented in WPs?
– Audit plans
– Audit programs
– Audit activities
– Audit tests
– Audit findings and incidents
Workpapers (Cont)
– Do not have to be on “paper”
– Must be
• Dated
• Initialized
• Page-numbered
• Relevant
• Complete
• Clear
• Self-contained and properly labeled
• Filed and kept in custody
4. Fraud Detection
– Management’s responsibility
– Benefits of a well-designed internal control system
• Deterring frauds at the first instance
• Detecting frauds in a timely manner
– Fraud detection and disclosure
– Auditor’s role in fraud prevention and detection
5. Audit Risk and Materiality
Audit Risk
– Audit risk is the risk that the information/financial report

may contain material error that may go undetected during
the audit.
– A risk-based audit approach is used to assess risk and

assist with an IS auditor’s decision to perform either
compliance or substantive testing.
Audit Risks - Categories
• Inherent risk
• Control risk
• Detection risk
• Overall audit risk
Risk-based Approach Overview

– Gather Information and Plan
– Obtain Understanding of Internal Control
– Perform Compliance Tests
– Perform Substantive Tests
– Conclude the Audit
Materiality
An auditing concept regarding the importance of an item

of information with regard to its impact or effect on the
functioning of the entity being audited
6. Risk Assessment Techniques
Risk Assessment Techniques

– Enables management to effectively allocate limited audit
resources
– Ensures that relevant information has been obtained
– Establishes a basis for effectively managing the audit
department
– Provides a summary of how the individual audit subject is
related to the overall organization and to business plans
7. Audit Objectives
Audit Objectives - Specific goals of the audit

– Compliance with legal & regulatory requirements
– Confidentiality
– Integrity
– Reliability
– Availability
8. Compliance vs. Substantive Testing
– Compliance test
determines whether controls are in compliance with management
policies and procedures
– Substantive test
tests the integrity of actual processing
– Correlation between the level of internal controls and

substantive testing required
– Relationship between compliance and substantive
tests
9. Evidence
It is a requirement that the auditor’s conclusions must be

based on sufficient, competent evidence
– Independence of the provider of the evidence
– Qualification of the individual providing the information or
evidence
– Objectivity of the evidence
– Timing of evidence
9. Evidence
Techniques for gathering evidence:

 Review IS organization structures
 Review IS policies and procedures
 Review IS standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance
10. Interviewing and Observing Personnel in action
– Actual functions
– Actual processes/procedures
– Security awareness
– Reporting relationships
12. Using the Services of Other Auditors and Experts
Considerations when using services of other auditors and

experts:
• Restrictions on outsourcing of audit/security services provided by laws
and regulations
• Audit charter or contractual stipulations
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability
• Independence and objectivity of other auditors and experts
• Professional competence, qualifications and experience
12. Using the Services of Other Auditors and Experts
Considerations when using services of other auditors and

experts (Cont):
• Scope of work proposed to be outsourced and approach

• Supervisory and audit management controls
• Method and modalities of communication of results of audit work
• Compliance with legal and regulatory stipulations
• Compliance with applicable professional standards
13. Computer-assisted Audit Techniques
– CAATs enable IS auditors to gather information

independently
– CAATs include:
• Generalized audit software (GAS)
• Utility software
• Test data
• Application software for continuous online audits
• Audit expert systems
– Need for CAATs

Evidence collection
– Functional capabilities
Functions supported
Areas of concern
– Examples of CAATs used to collect evidence
– CAATS as a continuous online approach
– Advantages of CAATs
– Cost/benefits of CAATs
Development of CAATs
• Documentation retention
• Access to production data
• Data manipulation
14. Evaluation of Audit Strengths and Weaknesses
– Assess evidence
– Evaluate overall control structure
– Evaluate control procedures
– Assess control strengths and weaknesses
14. Evaluation of Audit Strengths and Weaknesses
Judging Materiality of Findings

 Materiality is a key issue
 Assessment requires judgment of the potential effect

of the finding if corrective action is not taken
15. Communicating Audit Results
– Exit interview
• Correct facts
• Realistic recommendations
• Implementation dates for agreed recommendations
– Presentation techniques
• Executive summary
• Visual presentation
15. Communicating Audit Results
Audit report structure and contents

 An introduction to the report
 The IS auditor’s overall conclusion and opinion
 The IS auditor’s reservations with respect to the audit
 Detailed audit findings and recommendations
 A variety of findings
 Limitations to audit
 Statement on the IS audit guidelines followed
16. Management Implementation of Recommendations
– Auditing is an ongoing process

– Timing of follow-up
17. Audit Documentation
– Contents of audit documentation
– Custody of audit documentation
– Support of findings and conclusions
Documentation should include, at a minimum, a

record of the:
• Planning and preparation of the audit scope and objectives
• Description and/or walkthroughs on the scoped audit area
• Audit program
• Audit steps performed and audit evidence gathered
• Use of services of other auditors and experts
• Audit findings, conclusions and recommendations
– Constraints on the Conduct of the Audit
 Availability of audit staff
 Auditee constraints
– Project Management Techniques

 Develop a detailed plan
 Report project activity against the plan
 Adjust the plan
 Take corrective action
Chapter 1 Question
1. In performing a risk-based audit, which risk assessment

is completed initially by the IS auditor?
A. Detection risk assessment

B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment
Chapter 1 Question
2. Which of the following types of risk assumes an absence

of compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
Chapter 1 Question
3. While developing a risk-based audit program, which of

the following would the IS auditor MOST likely focus on?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
Chapter 1 Question
4. The GREATEST drawback in using an integrated test

facility is the need to:
A. Isolate test data from production data

B. Notify user personnel so they can make adjustments to
output
C. Segregate specific master file records
D. Collect transaction and master file records in a separate
file
Chapter 1 Question
5. To meet predefined criteria, which of the following

continuous audit techniques would BEST identify
transactions to audit?
A. Systems Control Audit Review File and Embedded

Audit Modules (SCARF/EAM)
B. Continuous and intermittent simulation (CIS)
C. Integrated test facilities (ITF)
D. Audit hooks
Chapter 1 Question
6. Which of the following BEST describes the early stages of

an IS audit?
A. Observing key organizational facilities

B. Assessing the IS environment
C. Understanding business process and
environment applicable to the review
D. Reviewing prior IS audit reports
Chapter 1 Question
7. An IS auditor is conducting substantive audit tests of a

new accounts receivable module. The IS auditor has a
tight schedule and limited computer expertise. Which
would be the BEST audit technique to use in this
situation?
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module
Chapter 1 Question
8. The PRIMARY use of generalized audit

software (GAS) is to:
A. Test controls embedded in programs

B. Test unauthorized access to data
C. Extract data of relevance to the audit
D. Reduce the need for transaction vouching
Chapter 1 Question
9. An IS auditor performing a review of an application’s controls finds a

weakness in system software that could materially impact the
application. The IS auditor should:
A. Disregard these control weaknesses, as a system software
review is beyond the scope of this review
B. Conduct a detailed system software review and report the
control weaknesses
C. Include in the report a statement that the audit was limited to a
review of the application’s controls
D. Review the system software controls as relevant and
recommend a detailed system software review
VI - Control Self-Assessment
• A management technique
• A methodology
• In practice, a series of tools
Implementation of CSA
 Facilitated workshops
 Hybrid approach
1. Benefits of CSA
•Early detection of risks

•More effective and improved internal controls
•Creation of cohesive teams through employee involvement
•Increased employee awareness of organizational objectives
and knowledge of risk and internal controls
•Increased communication between operational and top
management
•Highly motivated employees
1. Benefits of CSA
•Improved audit rating process

•Reduction in control cost
•Assurance provided to stakeholders and customers
•Necessary assurance given to top management about the
adequacy of internal controls, as required by the various
regulatory agencies and laws such as the US Sarbanes-
Oxley Act
2. Disadvantages of CSA
• It could be mistaken as an audit function replacement

• It may be regarded as an additional workload (e.g., one
more report to be submitted to management)
• Failure to act on improvement suggestions could damage
employee morale
• Lack of motivation may limit effectiveness in the detection
of weak controls
Objectives of CSA
– Enhancement of audit responsibilities (not a
replacement)
– Education for line management in control responsibility

and monitoring
– Empowerment of workers to assess the control

environment
3. Auditor Role in CSA
When these programs are established, auditors become

• Internal control professionals
• Assessment facilitators
>>>> the auditors are facilitators

>>>> the management client is the participant in the CSA process
4. Technology Drivers for CSA
Some technology drivers include

combination of hardware and software to support CSA
selection
use of an electronic meeting system
computer-supported decision aids to facilitate group
decision making
Group decision making is an essential component of a
workshop-based CSA where employee empowerment is a
goal
5. Traditional vs. CSA Approach
Traditional approach
Any approach in which the primary responsibility for

analyzing and reporting on internal control and risk is
assigned to auditors and, to a lesser extent,
controller departments and outside consultants.
CSA approach
Emphasizes management and accountability over
developing and monitoring internal controls of an
organization’s sensitive and critical business
processes
Chapter 1 Question
10. Which of the following is MOST effective for implementing

a control self-assessment (CSA) within business units?
A. Informal peer reviews

B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams
VII - Emerging changes in the IS audit process
1. Automated Work papers
– Risk analysis
– Audit programs
– Results
– Test evidences,
– Conclusions
– Reports and other complementary information
1. Automated Work papers
Controls over automated work papers:

• Access to work papers
• Audit trails
• Approvals of audit phases
• Security and integrity controls
• Backup and restoration
• Encryption for confidentiality
2. Integrated Auditing
Process whereby appropriate audit disciplines are combined

to assess key internal controls over an operation, process
or entity
– Focuses on risk to the organization (for an internal

auditor)
– Focuses on the risk of providing an incorrect or
misleading audit opinion (for external auditor
2. Integrated Auditing
Typical process:
– Identification of relevant key controls

– Review and understanding of the design of key controls
– Testing that key controls are supported by the IT
system
– Testing that management controls operate effectively
– A combined report or opinion on control risks, design
and weaknesses
3. Continuous Auditing
Definition
“A methodology that enables independent auditors to
provide written assurance on a subject matter using a
series of auditors’ reports issued simultaneously with, or a
short period of time after, the occurrence of events
underlying the subject matter”
– Distinctive character
• short time lapse between the facts to be audited and the
collection of evidence and audit reporting
– Drivers
• better monitoring of financial issues
• allowing real-time transactions to benefit from real-time
monitoring
• preventing financial fiascoes and audit scandals
• using software to determine proper financial controls
Continuous Auditing vs. Continuous Monitoring

 Continuous monitoring
 Management-driven
 Based on automated procedures to meet fiduciary
responsibilities
 Continuous auditing
 Audit-driven
 Done using automated audit procedures
Enabler for the Application of Continuous Auditing

– New information technology developments
– Increased processing capabilities
– Standards
– Artificial intelligence tools
IT techniques in a continuous auditing environment

– Transaction logging
– Query tools
– Statistics and data analysis (CAAT)
– Database management systems (DBMS)
– Data warehouses, data marts, data mining.
– Artificial intelligence (AI)
– Embedded audit modules (EAM)
– Neural network technology
– Standards such as Extensible Business Reporting
Language
Prerequisites
– A high degree of automation
– An automated and reliable information-producing process
– Alarm triggers to report control failures
– Implementation of automated audit tools
– Quickly informing IS auditors of anomalies/errors
– Timely issuance of automated audit reports
– Technically proficient IS auditors
– Availability of reliable sources of evidence
– Adherence to materiality guidelines
– Change of IS auditors’ mind-set
– Evaluation of cost factors
– Advantages
• Instant capture of internal control problems
• Reduction of intrinsic audit inefficiencies
– Disadvantages
• Difficulty in implementation
• High cost
• Elimination of auditors’ personal judgment and evaluation
VIII - Chapter 1 Case Study
1. Case study Scenario
The IS auditor has been asked to perform preliminary work that will assess the readiness of the
organization for a review to measure compliance with new regulatory requirements. These
requirements are designed to ensure that management is taking an active role in setting up and
maintaining a well-controlled environment and, accordingly, will assess management’s review and
testing of the general IT control environment. Areas to be assessed include logical and physical
security, change management, production control and network management, IT governance, and
end-user computing. The IS auditor has been given six months to perform this preliminary work, so
sufficient time should be available. It should be noted that in previous years, repeated problems have
been identified in the areas of logical security and change management, so these areas will most
likely require some degree of remediation. Logical security deficiencies noted included the sharing of
administrator accounts and failure to enforce adequate controls over passwords. Change
management deficiencies included improper segregation of incompatible duties and failure to
document all changes. Additionally, the process for deploying operating system updates to servers
was found to be only partially effective. In anticipation of the work to be performed by the IS auditor,
the chief information officer (CIO) requested direct reports to develop narratives and process flows
describing the major activities for which IT is responsible. These were completed, approved by the
various process owners and the CIO, and then forwarded to the IS auditor for examination.
2. Case study Questions
1. What should the IS auditor do FIRST?

A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most critical.
2. Case study Questions
2. When testing program change management, how should the sample be
selected?
A. Change management documents should be selected at random and
examined for appropriateness
B. Changes to production code should be sampled and traced to appropriate
authorizing documentation
C. Change management documents should be selected based on system
criticality and examined for appropriateness
D. Changes to production code should be sampled and traced back to
system-produced logs indicating the date and time of the change

Is Audit Process-Agustus 2020

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Is Audit Process-Agustus 2020

Uploaded by

Copyright:

Available Formats

CHAPTER 1

The IS Audit Process

• Audit charter (or engagement letter)

• Limited number of IS auditors

• Individual audit planning

Audit Planning Steps

Steps to determine compliance with external

The Association’s Code of Professional Ethics

Framework for the ISACA IS Auditing

Objectives of ISACA IS Auditing Standards

• Inform management and other interested parties of the

3. Professional Ethics and Standards

 Continuing professional education

6. Performance of audit work

9. Irregularities and Illegal Acts

9. Irregularities and Illegal Acts (Cont.)

10. IT Governance (Cont)

11. Use of Risk Assessment in Audit Planning

 Identify and assess relevant risks in planning individual

Procedures developed by the ISACA Standards Board provide

– Procedures developed by the ISACA Standards Board

The potential that a given threat will exploit vulnerabilities

ii. Elements of Risk

iii.Risk and Audit Planning

iv. Risk Management Process

Policies, procedures, practices and

Internal Control System

Internal Control Objectives

Internal control objectives apply to all areas, whether

• Ensuring the efficiency and effectiveness of operations

– A framework with 34 high-level control objectives

Apply to all areas of an organization and include

• Internal accounting controls directed at accounting operations

– Based on the scope and the objective of the particular

General audit procedures

Procedures for testing & evaluating IS controls

– A set of documented audit procedures designed to achieve

Typical audit phases

Typical audit phases (Cont)

Typical audit phases (Cont)

Typical audit phases (Cont)

– Audit risk is the risk that the information/financial report

– A risk-based audit approach is used to assess risk and

Audit Risks - Categories

Risk-based Approach Overview

An auditing concept regarding the importance of an item

Risk Assessment Techniques

Audit Objectives - Specific goals of the audit

– Correlation between the level of internal controls and

It is a requirement that the auditor’s conclusions must be

Techniques for gathering evidence:

Considerations when using services of other auditors and

Considerations when using services of other auditors and

• Scope of work proposed to be outsourced and approach

– CAATs enable IS auditors to gather information

– Need for CAATs

– Examples of CAATs used to collect evidence

– CAATS as a continuous online approach

Judging Materiality of Findings

 Assessment requires judgment of the potential effect

Audit report structure and contents

– Auditing is an ongoing process

– Contents of audit documentation

– Custody of audit documentation