Domain 1: The IS Audit ProcessJimmy ArdiansyahArkansas – September 9, 2005

Knowledge Domain

5 TasksTasks related to I S Audit to be carried out by an I S Auditor

10 knowledge statementsWhat are the process requirements an I S Auditor need to know for carrying out an I S Audit

The Five Tasks1. Develop and implement a risk-based IS audit

strategy for the organization in compliance with IS audit standards, guidelines and best practices.

2. Plan specific audits to ensure that IT and business systems are protected and controlled.

3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.

4. Communicate emerging issues, potential risks and audit results to key stakeholders.

5. Advise on the implementation of risk management and control practices within the organization while maintaining independence.

Ten Knowledge Statements

1. Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics

2. Knowledge of IS auditing practices and techniques

3. Knowledge of techniques to gather information and preserve evidence

4. Knowledge of the evidence life cycle 5. Knowledge of control objectives and

controls related to IS

6. Knowledge of risk assessment in an audit context

7. Knowledge of audit planning and management techniques

8. Knowledge of reporting and communication techniques

9. Knowledge of control self-assessment (CSA)

10. Knowledge of continuous audit techniques

Task No.1

Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.

Risk Based Audit Approach

Align audit tests and findings with the business risks.

Audit approach should enable identification of risks.

Focus on critical/high risk areas and not on entire Organization. Focus on risks rather than volume. Audit planning & frequency based on Risk Profile.Reporting focuses on process improvement and risk management.Efficient commitment of Audit resources

Compliance with Standards, Guidelines & Procedures

Risk assessment helps in selecting auditable units and include those in the IS annual plan that have the greatest risk exposure.Risk assessment exercises should be carried out and documented at least on an annual basis. Risk assessment allows the IS auditor to quantify and justify the amount of IS audit resources needed.

3 Types of Risks:

Inherent riskControl riskDetection risk

How should the I S Auditor consider these Risks during the course of an I S Audit?

Inherent Risk

Inherent risk is the susceptibility of an audit area to error which could be material and there are no related internal controls In assessing the inherent risk, the IS auditor should consider both pervasive and detailed IS controls.

Control RiskControl risk is the risk that an error which could occur in an audit area, and which could be material, will not be prevented or detected and corrected on a timely basis by the internal control system.

Control Risk

The IS auditor should assess the control risk as high unless relevant internal controls are:

IdentifiedEvaluated as effectiveTested and proved to be operating appropriately

Detection Risk

Detection risk is the risk that the IS auditor’s substantive procedures will not detect an error which could be material.In determining the level of substantive

testing required, the IS auditor should consider both:The assessment of inherent risk

The conclusion reached on control risk following compliance testingThe higher the assessment of inherent and control risk the more audit evidence the IS auditor should normally obtain from theperformance of substantive audit procedures.

Task No. 2

Plan specific audits to ensure that IT and business systems are protected and controlled.

Plan Specific AuditsThe IS auditor should plan the information systems audit coverage.The IS auditor should develop and document an audit plan.The IS auditor should develop an audit program.

Components of Planning Process

Business requirementsKnowledge RequirementsMaterialityRisk assessmentInternal Control EvaluationDocumentation

Materiality

IS auditor should ordinarily establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently.

Risk Assessment

To provide reasonable assurance that all material items will be adequately covered during the audit work. Should identify areas with relatively high risk of existence of material problems.

Internal Control Evaluation

Provides a basis for reliance upon information being gathered as a part of the auditing project What do you evaluate:

Existence of controls (Compliance Testing)Effectiveness of control (Substantive Testing)Effect of irregular or illegal acts

The Effect of Lack of Controls

Loss of information confidentiality and privacySystems not being available for use when neededUnauthorized access and changes to systems, applications or dataintegrity, loss of data protection or systems unavailability

Examples of I S Controls

Implementation of software packagesSystem security parametersDisaster recovery planningData input validationException report productionLocking of user accounts after invalid attempts to access them.

Effect of Pervasive Controls

Strong pervasive IS controls can contribute to the assurance which may be obtained by an IS auditor in relation to detailed IS controlsWeak pervasive IS controls may undermine strong detailed IS controls or exacerbate weaknesses at the detailed level

Task No.3

Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.

Performance of Audit Work

SupervisionEvidenceDocumentation

Supervision

IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met.

Evidence

During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.

Documentation

The audit process should be documented, describing the audit work performed and the audit evidence that supports supporting the IS auditor's findings and conclusions.

Task No.4

Communicate emerging issues, potential risks and audit results to key stakeholders.

Communicating

The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organization, the intended recipients and any restrictions on circulation.The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work

performed.

Reporting and Presentation Criteria

Measurable—Provide for consistent measurementObjective—Free from biasComplete—Include all relevant factors to reach a conclusionRelevant—Relate to the subject matter

Types of Services

An IS auditor may perform any of the following: Audit (direct or attest)Review (direct or attest)Agreed-upon procedures

Audit Opinion

The IS auditor’s opinion is restricted because of the nature of internal controls and the inherent limitations of any set of internal controls and their operations. These limitations include:

Management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derivedMost internal controls tend to be directed at routine rather than non routine transactions/events

Audit Opinion

The possibility that management may not be subject to the same internal controls applicable to other personnelThe possibility that internal controls may become inadequate due to changes in conditions, and compliance with procedures may deteriorate

Task No. 5

Advise on the implementation of risk management and control practices within the organization while maintaining independence.

Other Knowledge Requirements

Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques

References:

CISA Review Manual ISACA.orgIITG.org

Information

To obtain the copy (.ppt file), please send request to: tek-kom-moderator@yahoogroups.comor visit to:http://komputer-teknologi.net