Cisa Exam Cram 2
The IS auditor should follow an IT audit life cycle in the planning, assessment, and execution of the audit. The audit life cycle should include the following steps:
Per ISACA, proper planning is the necessary first step in performing effective audits. The IS auditor's first task should be to gather background information, such as business sector, applied benchmarks, specific trends, and regulatory and legal requirements. This enables the auditor to better understand what to audit. After gathering initial information, the auditor should identify the audit subject and audit objectives, define the scope, establish the information systems and functions involved, and identify the needed resources.
In preparation for the audit, the auditor should either use an existing audit methodology or create one. The audit methodology is a set of documented audit procedures to ensure that the auditor achieves the planned audit objectives. Establishment of the audit methodology encompasses all phases of the audit and creates a repeatable, consistent approach to audits in the organization. The methodology should be documented and approved by the audit management and should be communicated to the audit staff. Table 1.3 lists the phases of a typical audit
Using the audit methodology, the auditing department can create boundaries for the audit, ensure consistent processes, and identify specific steps to be performed during the audit. The combined effect is that the auditing function has a trail of what entities were audited, who was interviewed, what material was collected, and how controls were verified. This ensures that the audit report is complete without exceeding the audit boundaries, and provides confidence that the procedures that were followed met the objectives of the audit. A risk-based audit approach helps management effectively utilize limited auditing resources by identifying areas of high risk in the organization. This method helps prioritize audits, and information gathered from risk analysis facilitates more effective corporate governance by ensuring that audit activities are directed to high business risk areas, maximizing the effectiveness of audit activities. In a risk-based approach to auditing, the IS auditor gains an understanding of the client's environment and information systems, and determines which areas are high-risk, or material. These areas then become the focus of the audit. The alternative to the risk-based approach is for the auditing department to evaluate the organization's entire environment and operating system. This is often referred to as the "old model" of auditing. In planning an audit, the most critical step is to identify the areas of high risk. The IS auditor should use the following risk-based approach to creating an audit plan:
The ISACA IS auditing guideline on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems."
|