IS Audit Function Knowledge

Tasks• Develop and implement a risk based IS audit

strategy for the organization in compliance with IS audit standards, guidelines and best practices

• Plan specific audits to ensure that IT and business systems are protected and controlled

• Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives

• Communicate emerging issues, potential risks and audit results to key stakeholders

• Advise on the implementation of risk management and control practices within the organization while maintaining independence

Knowledge• IS ISACA Auditing Standards,

Guidelines and Procedures and Code of Professional Ethics

• IS auditing practices and techniques

• Techniques to gather information and preserve evidence (e.g. observation, inquiry, interview, computer-assisted audit techniques (CAATs), electronic media)

• The evidence life cycle (e.g., the collection, protection, chain of custody)

• Control objectives and control related to IS (e.g., COBIT)

• Risk assessment in an audit context

• Audit planning and management techniques

• Reporting and communication techniques (e.g. facilitation, negotiation, conflict resolution)

• Control self assessment (CSA)

• Continuous audit techniques

Organization• The role of the IS audit function should be established

by an audit charter.• IS audit is most likely to be a part of internal audit;

therefore, the audit charter may include other audit function

• This charter should state clearly management's responsibility and objectives for, and delegation of authority to, the IS audit function

• This document should outline the overall authority, scope and responsibilities of the audit function

• The highest level of management and the audit committee, if available, should approve this charter. Once established, this charter should be changed only if the change can be and is thoroughly justifies

Audit Charter (G5)

• Detail of Audit Charter• Mandate• Content• Communication• Service Level Agreements

Detail of Audit Charter

• Should be detailed enough to communicate– Purpose– Responsibility– Authority and accountability– Limitations of the audit function or audit assgnment

• Should be prpared for ongoing activities• The audit charter should be subject to an annual review

or more often if the responsibilities are varied or changed

Mandate

• The IS auditor should have a clear mandate to perform the IS audit function

• This mandate is ordinarily documented in an audit charter that should be formally accepted

• Where an audit charter exists for the audit function as a whole, wherever possible the IS audit mandate should be incoporated

Content

• Responsibility• Authority• Accountability

Responsibility

• Mission statement• Aims/goals• Scope• Objectives• Independence

• Relationship with external audit

• Auditee requirements• Critical success factors• Key performance

indicators• Other measures of

performance

Authority

• Risk assessment• Right of access to information, personnel, locations and

systems relevant to the performance of audits• Scope or any limitations of scope• Functions to be audited• Auditee expectations• Organizational structure, including reporting lines to

board and senior management• Grading of IS audit staff

Accountability

• Responsibility lines to senior management

• Assignment performance appraisals

• Personnel Performace appraisals

• Staffing / career development

• Auditee's rights• Independent quality

reviews

• Assessment of compliance with standards

• Benchmarking performance and functions

• Assessment of completion of the audit plan

• Comparison of budget to actual costs

• Agreed actions; e.g. penalties when either party fails to carry out their responsibilities

Communication

• Describing the service, its scope, its availability and timeliness of delivery

• Providing cost estimates or budgets if they are available• Describing problems and possible resolutions for them• Providing adequate and readily accessible facilities for

effective communication• Determining the relationship between the service

offered and the needs of the auditee

Service Level Agreements

• Availability for unplanned work

• Delivery of reports• Costs• REsponse to auditee

complaints• Quality of service• Review of performance

• Communication with auditees

• Needs assessment• Control risk self

assessment• Agreement of terms of

reference for audits• Reporting process• Agreement of finding

Engagement Letter (G5)

• Purpose - Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between external IS Audit and an organization

• Content• Authority• Accountability

Content

• Responsibility• Scope• Objective• Independence• Risk Assessment• Specific auditee requirement• Deliverable

Authority

• Right of access to information, personnel, locations and systems relevant to the performance of the assignment

• Scope or any limitations of scope• Evidence of agreement to the terms and conditions of

the engagement

Accountability

• Intended recipients of reports• Auditees rights• Quality reviews• Agreed completion dates

Responsibility

• To the Profession• To the Auditee (Organisation)• To the Stakeholders• Statutory and Regulatory• To Society

Authority

• Rights of IS Auditors• Limitations

Rights of IS Auditors

• The IS auditor has the right to have an engagement letter or audit charter specifying the scope, objective and terms of reference of the audit

• The IS auditor has the right to access appropriate information and resources to effectively and efficiently complete the audit

• The IS auditor has the right to believe that management has established appropriate controls to prevent, deter and deter fraud unless the tests and evaluation carried on by the IS auditor prove otherwise

• The IS auditor has the right to call for such information and explanations deemed necessary and appropriate to permit objective completion of the audit

• The IS auditor has the right to retain the working files, documents, audit evidences, etc., obtained during the course of the audit, in support of his/her conclusions and to use the same as the basis of reference in case of any issues or contradictions

Limitations

• The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be expected to have the expertise of the person whose primary responsibility is detecting and investigating fraud

• The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be expected to have the expertise of the person whose primary responsibility is detecting and investigating fraud

• The IS auditor should be alert to the significant risks that might affect objectives, operations or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified

Limitations

• Where the IS auditor is not able to obtain required information, is restricted from accessing resources or is in any way restrained from carrying out his/her function, the IS auditor should escalate his/her concerns to appropriate senior levels in management. The IS auditor should conduct the audit in a professional manner

• Where the IS auditor has utilized the services of an external expert, the IS auditor should evaluate the usefulness and sufficiency of work performed by such external expert and also perform appropriate testing to confirm the findings of the external expert

• The IS auditor is not responsibility for implementing corrective actions

Accountability

• Professional Accountability

• Professional Negligence

• Restrictions

Effect of laws and Regulation on IS Audit Planning

• Establishment of the regulatory requirements• Organization of the regulatory requirements• Responsibilities assigned to the corresponding entities• Correlation to financial, operational and IT audit

functions

Major Concern

• Legal requirements placed on IS audit• Legal requirements placed on the auditee