Cisa Exam Cram 2

The IS auditor should follow an IT audit life cycle in the planning, assessment, and execution of the audit. The audit life cycle should include the following steps:

1.

Plan

2.

Assess risk

3.

Prepare and plan an audit program

4.

Conduct a preliminary review of the audit area/subject

5.

Evaluate the audit area/subject

6.

Gather evidence

7.

Conduct compliance testing

8.

Conduct substantive testing

9.

Form conclusions

10.

Deliver audit opinion (communicate results)

11.

Follow up

Per ISACA, proper planning is the necessary first step in performing effective audits. The IS auditor's first task should be to gather background information, such as business sector, applied benchmarks, specific trends, and regulatory and legal requirements. This enables the auditor to better understand what to audit. After gathering initial information, the auditor should identify the audit subject and audit objectives, define the scope, establish the information systems and functions involved, and identify the needed resources.

In preparation for the audit, the auditor should either use an existing audit methodology or create one. The audit methodology is a set of documented audit procedures to ensure that the auditor achieves the planned audit objectives. Establishment of the audit methodology encompasses all phases of the audit and creates a repeatable, consistent approach to audits in the organization. The methodology should be documented and approved by the audit management and should be communicated to the audit staff.

Table 1.3 lists the phases of a typical audit

Table 1.3. Phases of an Audit

Audit Subject

Identification of the Audit Area(s)

Audit objective

Identify the reason for the audit. For example, an objective might be that access to intellectual property is properly controlled.

Audit scope

Identify the systems or functions of the organization included in the review.

Preaudit planning

Identify the skill sets and resources required.

Identify the information sourcespolicies, procedures, project plans, logs, and so on.

Identify the locations or facilities included in the audit.

Audit procedures and steps for gathering data

Identify and select the process to verify and test controls. Identify the individuals to interview.

Identify and obtain policies, standards, and procedures. Develop audit procedures to verify and test controls.

Procedures for evaluating the test or results

Identify a process for review and evaluation of auditing results.

Procedures for communication with management

Develop procedures for the communication of the audit report.

Develop procedures for communication during the audit process.

Audit report preparation

Identify follow-up.

Identify procedures to evaluate/test operational efficiency and effectiveness.

Identify procedures to test controls. Review and evaluate the soundness of documents, policies, and procedures.

Using the audit methodology, the auditing department can create boundaries for the audit, ensure consistent processes, and identify specific steps to be performed during the audit. The combined effect is that the auditing function has a trail of what entities were audited, who was interviewed, what material was collected, and how controls were verified. This ensures that the audit report is complete without exceeding the audit boundaries, and provides confidence that the procedures that were followed met the objectives of the audit.

A risk-based audit approach helps management effectively utilize limited auditing resources by identifying areas of high risk in the organization. This method helps prioritize audits, and information gathered from risk analysis facilitates more effective corporate governance by ensuring that audit activities are directed to high business risk areas, maximizing the effectiveness of audit activities.

In a risk-based approach to auditing, the IS auditor gains an understanding of the client's environment and information systems, and determines which areas are high-risk, or material. These areas then become the focus of the audit. The alternative to the risk-based approach is for the auditing department to evaluate the organization's entire environment and operating system. This is often referred to as the "old model" of auditing. In planning an audit, the most critical step is to identify the areas of high risk. The IS auditor should use the following risk-based approach to creating an audit plan:

  1. Gather information and plan.

    1. Knowledge of business and industry

    2. Audit results from earlier years

    3. Recent financial information

    4. Regulatory statutes

    5. Inherent risk assessments

  2. Determine internal controls and obtain an understanding of how they function.

    1. Control environment

    2. Control procedures

    3. Detection risk assessment

    4. Control risk assessment

    5. Equate total risk

  3. Perform compliance tests.

  4. Perform substantive tests.

  5. Conclude the audit.

The ISACA IS auditing guideline on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems."

Категории