Training IT Audit

Chapter 1
The Process of Auditing Information
Systems
Quick Reference Review

• The IT Audit Plan Process

• Management of the IS Audit Function
• ISACA IS Audit & Assurance Standards Framework
• Risk Analysis
• Internal Control
• Performing and IS Audit
1.1 The IT Audit Plan Process
1.2 Management of the IS Audit Function

Management of the IS audit function:

• Auditing should be managed and led in a manner that
ensures all the tasks are performed and accomplished by
the audit team
• Auditors should maintain independence as well as their
competence in the auditing process
• The audit function should have value-added contributions for
the senior management
• The audit function should also achieve business objectives
• Ensures that diverse audit tasks fulfill audit function
objectives
1.2.1 Organization of the IS Audit
Function
• IS audit services can be provided externally or internally
• Internal: An internal audit should be established by charter and have approval of
senior management
• This can be an internal audit
• The audit can function as an independent group
• The audit committee integrated within a financial and operational audit provide IT
related control assurance to the financial or management auditors
• External: IS audit services are provided by an external firm
• The scope and objectives of these services should be listed in a formal contract
between the organization and the external auditing team
• Role of IS internal audit function should be established by and audit charter
approved by senior management
o Clearly state management responsibility
o Objectives and delegation of authority
o Scope and responsibilities of audit functions
1.2.2 IS Audit Resource Management

As technology changes it is important that management

ensures the auditors keep up to date with other skill sets
• This requires training that is directed to new auditing
techniques and updates technology
• ISACA standards require that the auditing team be
technically competent
• Management should consider the auditor’s skills and
knowledge when planning an audit
1.2.3 Audit Planning

Annual Planning:
• Planning has both short and long-term goals
• Short-term should take into account issues that will be covered during the
year
• Long-term will take into account the issues regarding changes to the
organization’s IT strategic direction
• Both long and short-term issues should be reviewed annually

Audit Universe:
• Lists all the processes that may be considered for the audit
• Subject to risk assessment
• Analysis of short and long-term issues should occur at least annually
Audit Planning Continued

Individual Audit Assignments

• Each individual audit must be planned
• Must consider system implementation / deadlines; current and future technologies

Exhibit 1.2-Steps to Perform Audit Planning

Exhibit 1.2-Steps to Perform Audit Planning
• Gain an understanding of the business’s mission, objectives, purpose and
processes, which include information and processing requirements such as
availability, integrity, security and business technology, and information
confidentiality.
• Understand changes in business environment of the auditee
• Review prior work papers
• Identify stated contents such as policies, standards and required guidelines,
procedures and organization structure
• Perform a risk analysis to help in designing the audit plan
• Set the audit scope and audit objectives
• Develop the audit approach or audit strategy
• Assign personnel resources to the audit
• Address engagement logistics
Audit Planning Continued

Steps an IS auditor could take to gain an understanding oldie

business include:
• Reading background material including industry publications,
annual reports and independent financial analysis reports
• Reviewing prior audit reports or IT-related reports (from external or
internal audits, or specific reviews such as regulatory reviews)
• Reviewing business and IT long-term strategic plans
• Interviewing key managers to understand business issues
• Identifying specific regulations applicable to IT
• Identifying 11 functions or related activities that have been
outsourced
• Touring key organization facilities
1.2.4 Effect of Laws & Regulations on
Audit Planning
• Regardless of size and complexity of the business, every organization need to comply with laws and
regulations

The following are steps an IS auditor would perform to determine an organization’s level of compliance with
external requirements:
• Identify those government or other relevant external requirements dealing with:
o Electronic data, personal data, copyrights, e-commerce, e-signature, etc.
o Computer system practices and controls
o The manner in which computers, programs, and data are stored
o The organization or the activities of information technology services
o IS audits
• Document applicable laws and regulations
• Assess whether the management of the organization and the IS function have considered the relevant
external requirements in making plans and in setting policies, standards and procedures, as well as
business application features.
• Review internal IS department/function/activity documents that address adherence to laws applicable to the
industry
• Determine adherence to established procedures that address these requirements
• Determine if there are procedures in place to ensure contracts or agreements with external IT services
providers reflect any legal requirements related to responsibilities
1.3 ISACA IS Audit & Assurance
Standards Framework

General
1001 Audit Charter 1002 Organizational Independence
1003 Professional Independence 1004 Reasonable Expectation
1005 Due Professional Care 1006 Proficiency
Performance
1201 Engagement Planning 1202 Risk Assessment in Planning
1203 Performance and Supervision 1204 Materiality
1205 Evidence 1206 Using the Work of Other
Experts
1207 Irregularity and Illegal acts
Reporting
1401 Reporting 1402 Follow-up activities
1.3.1 ISACA IS Audit and Assurance
Guidelines

• The objective of the ISACA IS Audit and Assurance

Guidelines is to provide further information on how to comply
with ISACA IS Audit and Assurance Standards.
• The IS auditor should:
o Consider them in determining how to implement the
above standards
o User professional judgment in applying them to specific
audits
o Be able to justify any difference
1.3.2 ISACA IS Audit & Assurance Tools
& Techniques

• ISACA has developed standards provide examples of

possible processes that an IS auditor may follow
• The tools and technique documents provide information on
how to meet the standards when performing IS auditing
work, but DO NOT set requirements
1.3.3 Relationship Among Standards,
Guidelines, & Tools & Techniques

• Standards defined by ISACA are TO BE followed by the IS

auditor
• Guidelines provide assistance on how the auditor can
implement standards in various audit assignments
• Tools and techniques provide examples of steps the auditor
may follow in specific audit assignments
1.3.4 Information Technology Assurance
Framework (ITAF)

• A comprehensive & good-practice-setting model:

o Provides guidance on the design, conduct and reporting
of IS audit and assurance assignments
o Defines terms and concepts specific to IS assurance
o Establishes standards that address IS audit and
assurance professional R&R, knowledge and skills, and
diligence, conduct and reporting requirements
• Includes three categories of standards – general,
performance and reporting – as well as Guidelines, Tools
and Techniques
Information Technology Assurance
Framework (ITAF) Continued
Information Technology Assurance Framework (ITAF) Component:
• General Standards – The guiding principles under which the IS assurance profession
operates. They apply to the conduct of all assignment’s, and deal with the IS audit and
assurance professional’s ethics, independence, objectivity and due care as well as knowledge,
competency and skill
• Performance Standards – deal with the conduct of the assignment, such as planning and
supervision, scoping, risk and materiality, resource mobilization, supervision and assignment
management, audit and assurance evidence, and the exercising of professional judgment and
due care
• Reporting Standards – address the types of reports, means of communication and the
information communicated
• Guidelines – Provide the IS audit and assurance professional with information and direction
about an audit or assurance area. In line with three categories of standards outlined above,
guidelines focus on the various audit approaches, methodologies, tools and techniques, and
related material assist in planning, executing, assessing, testing and reporting on IT processes,
controls and related audit or assurance initiatives. Guidelines also help clarify the relationship
between enterprise activities and initiatives, and those undertaken by IT.
• Tools and Techniques – Provide specific information on various methodologies, tools and
templates – and provide direction in their application and use to operationalize the information
provided in the guidance. Note that the tools and techniques are directly linked to specific
guidelines. They take a variety of forms, such as discussion documents, technical direction,
white papers, audit programs or books – e.g., the ISACA publication on SAP, which supports
the guideline on enterprise resource planning (ERP) systems.
 The ITAF Taxonomy: How ITAF is
Organized Hierarchically

General Performance Reporting

Standards Standards Standards

Guidelines: Guidelines: Guidelines:

Guidelines:
IS IS Assurance IS Assurance
IS Assurance
Management Processes Management

Tools and Techniques

Source: ISACA, ITAF: A Professional Practices Framework for IT Assurance, USA, 2008. figure 1
1.4 Risk Analysis

• Part of audit planning, and helps identify risks and

vulnerability so the IS auditor can determine the controls
needed to mitigate those risks
• IS auditors must be able to identify and differentiate risk
types and the controls used to mitigate risks

• Risk = Combination of probability of an event and

its consequence
Risk Analysis Continued

In analyzing the business risks arising from the use of IT, it is important for the
IS auditor to have a clear understanding of:
• The purpose and nature of business, the environment in which the business
operate and related business risks
• The dependence on technology to process and deliver business information
• The business risk of using IT and how it impacts the achievement of the
business goals and objectives
• A good overview of the business processes and the impact of IT and related
risks on the business process objectives
Risk Analysis Continued

• ISACA has a risk IT framework that is based on a set of

guiding principles and features business process and
management guidelines to conform to those principles
• To get a good understanding of risk we should have a
definition of what a risk is
• The ISO has published a definition of risk as the potential that a given
threat will exploit vulnerabilities of an asset and thereby cause harm to
the organization
Risk Analysis Continued

• When analyzing IT services the auditor would specifically be

looking at the risks associated for the business when using
IT services within an enterprise
• One of the goals of the risk analysis is to help in mitigating
that risk to a manageable point
• This can be crucial to a business that relies heavily on the
support of IT
1.4.2 Audit Risk and Materiality

Audit Risk:
• The risk that information ay contain a material error that may
go undetected during the course of the audit
• IS auditor to have sound understanding of these audit risks
when planning an audit
 Audit Risk and Materiality Continued
Audit risk is influenced by:
• Inherent risk – as it relates to audit risk, it is the risk level or exposure of the
process/entity to be audited without taking into account the controls that
management has implemented. Inherent risks exist independent of an audit and
can occur because of the nature of the business
• Control risk – the risk that a material error exist that would not be prevented or
detected on a timely basis by the system of internal controls. For example, the
control risk associated with manual reviews of computer logs can be high
because activities volume of logged information. The control risk associated with
computerized data validation procedures is ordinarily low if the processes are
consistently applied
• Detection risk – the risk that material errors or misstatements that have
occurred will not be detected by the IS auditor
• Overall audit risk – the probability that information or financial reports may
contain material errors and that the auditor may not detect an error that has
occurred. An objective in formulating the audit approach is to limit the audit risk
in the area under scrutiny so the overall audit risk is at a sufficiently low level at
the completion of the examination
 1.4.3 Risk Assessment and Treatment
• Risk assessment identify, quantify, and prioritize risks against criteria for
risk acceptance and objectives relevant to the organization

Each of the risks identified in the risk assessment needs to be treated.

Possible risk response options include:
• Risk mitigation – Applying appropriate controls to reduce the risks
• Risk acceptance – Knowingly and objectively not taking action,
providing the risk clearly satisfies the organization’s policy and criteria for
risk acceptance
• Risk avoidance – Avoiding risks by not allowing actions that would
cause the risks to occur
• Risk transfer/sharing – Transferring the associated risks to other
parties, e.g. insures or suppliers
1.4.4 Risk Assessment Techniques

• One technique is scoring system based on priority

• Other is simple classification. i.e. High, Medium, Low
• Another technique is judgmental based on business
knowledge, executive management directives, historical
perspectives, business goals etc.
• A combination of all these is usually used
1.4.5 Summary of Risk Assessment
Process

Identify Business Objective

(BO)

Identify Information Assets

Supporting the BOs
Perform Periodic Risk
Reevaluation Perform Risk Assessment (RA)
(BO/RA/RM/RT) [Threat-> Vulnerability ->
Probability -> Impact]

Perform Risk Mitigation (RM)

[Map risks with controls in place]

Perform Risk Treatment (RT)

[Treat significant risks not
mitigated by existing controls]
1.5 Internal Control

• Composed of policies, procedures, practices and

organizational structures which are implemented to reduce
risks
• Provide reasonable assurance to management that
business objectives be achieved and risk events will be
prevented, detected and corrected
• Operate at all levels to mitigate its exposures to risks
 Internal Control Continued
Control Classification

Class Function Examples

Preventive • Detect problem before they arise • Employ only qualified personnel
• Monitor both operation and inputs • Segregate duties (deterrent factor)
• Attempt to predict potential problem before • Control access to physical facilities
they occur and make adjustments • Use well-designed documents (prevent
• Prevent an error, omission or malicious act errors)
from occurring • Establish suitable procedures for
authorization of transactions
• Complete programmed edit checks
• Use access control software that allows only
authorized personnel to access sensitive
files
• Use encryption software to prevent
unauthorized disclosures of data
Detective • Use controls that detect and report the • Hash totals
occurrence of an error, omission or • Check points in production jobs
malicious act • Echo controls in telecommunications
• Error messages over tape labels
• Duplicate checking of calculations
• Periodic performance reporting with
variances
• Past-due account reports
• Internal audit functions
• Review of activity logs to detect
unauthorized access attempts
Corrective • Minimize the impact of a threat • Contingency planning
• Remedy problems discovered by detective • Backup procedures
controls • Rerun procedures
• Identify the cause of a problem
• Correct errors arising from a problem
• Modify the processing system(s) to minimize
future occurrences of the problem
1.5.1 IS Control Objectives

• Control objectives are statements of the desired result or

purpose to be achieved by implementing control activities
• Provide a complete set of high-level requirements to be
considered by management for effective control of each IT
process
• IS control objectives are:
o Statements of the desired result or purpose to be
achieved
o Comprised of policies, procedures, practices and
organizational structures
o Designed to provide reasonable assurance that
business objectives will be achieved
1.5.2 COBIT

• COBIT provides a framework to support the governance and

management of IT
• COBIT has a framework with a set of 34 IT processes
grouped into four domains:
• Plan and organize
• Acquire and implement
• Deliver and support
• Monitor and evaluate
 COBIT 5 Principles

1. Meeting
Stakeholder
needs

5. Separating
2. Covering
Governance
the Enterprise
From
End-to-End
Management
COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Source: ISACA, COBIT 5, USA, 2012, figure 2

Governance and Management

• Governance:
• Governance ensures that stakeholder needs, conditions
and options are evaluated to determine balanced,
agreed-on-enterprise objectives to be achieved; setting
direction through prioritization and decision making; and
monitoring performance and compliance against
agreed-on direction and objectives
• Management:
• Management plans, builds, runs and monitors activities
in alignment with the direction set by governance body to
achieve the enterprise objectives
1.5.3 General Controls

• Controls include policies, procedures, and practices established by

management to provide reasonable assurance that specific
objectives will be achieved
o Internal accounting controls
o Operational controls
o Administrative controls
o Security policies and procedures
o Policies for documentation
o Procedures and practices on acceptable access to use of
assets and facilities
o Physical and logical security policies
1.5.4 IS Controls

• General controls to be translated into IS-specific controls

o Strategy and direction
o Organization management
o Access to IT resources, including data and programs
o System development methodologies
o Change control
o Operations procedures
o Systems programming and technical support functions
o QA procedures
o Physical access controls
o BCP/DRP
o Database Administration
o Networks and communications
o Protection and detection against internal and external threats
1.6 Performing and IS Audit

• Auditing is a systematic process to objectively obtain and evaluate

evidence regarding assertions about a process. The goal is to form
an opinion and report on how well the assertion is implemented
• There are several steps required for an audit:
• Adequate planning
• Assessing risks
• Creating an audit program consisting of objectives and procedures
• Gathering evidence
• Evaluation strengths and weakness based on testing
• Creating reports including recommendations
Performing an IS Audit Continued

• The basic steps of project management for an audit would

include:
• Developing a detailed plan
• Report project activity against the plan
• Adjust the plan and take any correctives actions as needed
1.6.1 Classification of Audits

There are a variety of different types of audits that can be

performed and they would be as follows:
• Financial audits
• Operational audits
• Integrated audits
• Administrative audits
• IS audits
• Specialized audits
• Forensic audits
• Compliance audits
1.6.2 Audit Programs

• A step-by-step set of audit procedures and instructions that

should be performed to complete an audit
• It is the audit strategy and plan of audit
• Based on scope and objective of each assignment
• IS auditors evaluate based on Security (C,I,A), Quality (E,E),
Fiduciary (C,R), service and capacity
1.6.3 Audit Methodology

• A set of documented audit procedures designed to achieve

planned audit objectives
• Components include:
o Statement of scope
o Statement of audit objectives
o Statement of audit programs
• Set up and approved by audit management
 Audit Phases

Audit Phase Description

Audit subject Identify the area to be audited
Audit objective Identify the purpose of the audit. For example an objective might be to
determine whether program source code changes occur in a well-
defined and controlled environment
Audit scope Identify the specific systems, function or unit of the organization to be
included in the review. For example, in the previous program changes
example, the scope statement might limit the review to a single
application system or to a limited period of time
Preaudit planning • Identify technical skills and resources needed
• Identify the sources of information for test or review such as
functional flow charts, policies, standards, procedures and prior
audit work papers
• Identify locations or facilities to be audited
Audit procedures and steps for data gathering • Identify and select the audit approach to verify and test the
controls
• Identify a list of individuals to interview
• Identify and obtain departmental policies, standards and
guidelines for review
• Develop audit tools and methodology to test an verify control
Procedures for evaluating the test or review results Organization-specific
Procedures for communication with management Organization-specific
Audit report preparation • Identify follow-up review procedures
• Identify procedures to evaluate/test operational efficiency and
effectiveness
• Identify procedures to test controls
• Review and evaluate the soundness of documents, policies and
procedures
1.6.4 Fraud Detection

• IS auditors should be aware of the possibility and means of

perpetrating fraud
• Should have knowledge and experience of fraud and fraud
indicators
• Evaluate and communicate to appropriate authorities
• In case of major fraud or major high risk, audit management
MUST communicate to audit committee
1.6.5 Audit Objectives

• It refers to specific goals that must be accomplished by the audit

• Focus on substantiating that internal controls exist to minimize risks and
they function as expected
• A key element in planning as IS audit is to translate basic audit objectives
into specific IS audit objectives
• Basic purpose of any IS audit is to identify “control objectives” and the
related controls that address that objective
• “Control objective” refers to how an internal control should function

For example, in a financial/operational audit, a control objective could be to

ensure that transactions are properly posted to the general ledger accounts.
However, in the IS audit, the objective could be extended to ensure that
editing features are in place to detect errors in the coding of transactions
that may impact the account-posting activities.
 1.6.6 Compliance vs. Substantive Testing

Compliance Testing Substantive Testing

Testing an organization’s compliance Evaluate the integrity of individual
with control procedures transactions, data or other information
Determines if controls are being Substantiates the integrity of actual
applied that complies with processing
management policies and procedures
Provide IS auditors with reasonable Normally used to test for monetary
assurance that particular control is errors directly effecting financial
operating as expected statement balances
Used to test the existence and
effectiveness of a defined process
• Direct correlation between levels of internal controls and the amount of
substantive testing required
• If compliance tests reveal the presence of adequate internal controls,
minimize the substantive procedures
 Compliance vs. Substantive Testing
Continued
Examples of compliance testing of controls where sampling could be considered
include user access rights, program change control procedures, documentation
procedures, program documentation, follow-up of exceptions, review of logs,
software license audits, etc.
Examples of substantive tests where sampling could be considered include
performance of a complex calculation (e.g., interest) on a sample of accounts or a
sample of transactions to vouch for supporting documentation, etc.
Exhibit 1.9 – Understand the Control Environment and Flow of Transactions

Review the system to identify controls

Test compliance to determine whether controls are functioning

Evaluate the controls determine the basis for reliance and the nature, scope and timing of substantive
tests

Use two types of substantive test to evaluate the validity of the data

Test balance and transactions Perform analytic review procedures

1.6.7 Evidence

• Any information used by the IS auditor to determine whether

the entity or data being audited follows the established
criteria or objectives
• May include auditor’s observations, notes taken from the
interviews, results of independent confirmations,
documentation, results of audit test procedures etc.
• The “quality” and “quantity” of evidence must be accessed
by the IS auditor
• Referred to as “competent (quality)” and “sufficient
(quantity)”
Evidence Continued

• Evidence is “competent” when it is both valid and relevant

• Techniques for gathering evidence:
o Reviewing IS organizational structures
o Reviewing IS policies and procedures
o Reviewing IS standards
o Reviewing IS documentation
o Interviewing appropriate personnel
o Observing processes and employee performance
o Walkthroughs
1.6.8 Interviewing & Observing personnel
in performance of their duties

• Assist IS auditors in identifying:

o Actual functions
o Actual processes/procedures
o Security awareness
o Reporting relationships
o Observation drawbacks
1.6.9 Sampling

• Used when time and cost preclude a total verification of all

transactions or events in a pre-defined population
• Two general approaches:
• Statistical Sampling
 Objective method of determining the sample size and
selection criteria
 Uses the mathematical laws of probability to:
 Calculate the sampling size
 Select the sample items
 Evaluate the sample results and make the inference
 Quantitatively decides how closely the sample should
represent the population
 Represented as a percentage
Sampling Continued

• Non-statistical Sampling
o Uses auditor judgment to determine the method of
sampling, the number of items that will be examined
from a population and which items to select
o Based on subjective judgment
• Two primary methods of sampling:
1. Attribute sampling
• Generally applied in compliance tests
2. Variable sampling
• Generally applied in substantive tests
 Sampling Continued
Attribute sampling refers to three different but related Variable sampling – also known as dollar estimation
types of proportional sampling: or mean estimation sampling – is a technique used to
estimate the monetary value or some other unit of
1. Attribute sampling (also referred to as fixed
measure (such as weight) of population form a
sample-size attribute sampling or frequency- sample portion. An example of variable sampling is a
estimating sampling) – a sampling model that is review of an organization’s balance sheet for material
used to estimate the rate (percent) of occurrence transactions and an application review of the program
of a specific quality (attribute) in a population. that produced the balance sheet.
Attribute sampling answers the question of “how Variable sampling refers to a number of different
many?” an example of an attribute that might be types of quantitative sampling models:
tested is approval signatures on computer access
1. Stratified mean per unit – A statistical model in
request forms
which the population is divided into groups and
2. Stop-or-go sampling – A sampling model that samples are drawn from the various groups.
helps prevent excessive sampling of an attribute Stratified mean sampling is used to produce a
by allowing an audit test to be stopped at the smaller overall sample size relative to unstratified
earliest possible moment. Stop-or-go sampling is mean per unit.
used when the IS auditor believes that relatively 2. Unstratified mean per unit – A statistical model in
few errors will be found in a population which a sample mean is calculated and projected
as an estimated total
3. Discovery sampling – A sampling model that can
3. Difference estimation – A statistical model used
be used when the expected occurrence rate is
to estimate the total difference between audited
extremely low. Discovery sampling is most often values and book (unaudited) values based on
used when the objective of the audit is to seek differences obtained from sample observations
out (discover) fraud, circumvention of regulations
or other irregularities
1.6.10 Using the services of other
auditors & experts

• The following should be considered with regards to using the

services of other auditors and experts:
o Restrictions on outsourcing of audit/security services provided
by laws and regulations
o Audit charter
o Impact on overall and specific IS audit objectives
o Impact on IS audit risk and professional liability
o Independence and objectivity of other auditors and experts
o Professional competence
o Scope of work
o Supervisory and audit management controls
o Compliance with applicable laws, regulations and standards
1.6.11 Computer – Assisted Audit
Techniques (CAAT)

• An important tool in gathering evidence from different

auditing environments
• Enable IS auditors to gather information independently
• Include many types of tool and techniques such as:
o GAS (Generalized audit software)
o Utility software
o Debugging and scanning software
o Test data
o Application software tracing and mapping
1.6.12 Evaluation of Strengths &
Weaknesses

• IS auditors should access the strengths and weaknesses of

the controls evaluated
• A control matrix is utilized in accessing the level of controls
• One of strong control may compensate for a weak control in
another area
• A control objective is achieved NORMALLY by multiple
controls
1.6.13 Communicating Audit Results

• Exit interviews
• Executive summary
• Audit report
• Visual presentation
• Before communicating the results to the senior
management, the IS auditor should discuss the finding with
the management/staff of the audited entity
• IS auditor should make final decision about what to
include/exclude from the audit report
• Usually a balance report BUT must exercise independence
1.6.14 Management Implementation of
Recommendations

• A follow-up program to determine if findings and corrective

actions implemented
• Management to develop firm program for corrective actions
1.6.15 Audit Documentation

Audit documentation should include, at a minimum, a record of the:

• Planning and preparation of the audit scope and objectives
• Description and/or walkthrough on the scoped audit area
• Audit program
• Audit steps performed and audit evidence gathered
• Use of services of other auditors and experts
• Audit findings, conclusions and recommendations
• Audit documentation relation with document identification and dates

It is also recommended that documentation include:

• A copy of the report issued as a result of the audit work
• Evidence of a audit supervisory review