InformationSlide/Topic

Systems Auditing Process

Title

Domain 01:

Information Systems Auditing Process ( Execution)

1
 Day02-Information Systems Auditing Process

Information Systems Auditing Process

Execution FOR IT AUDIT:

Once an audit is planned and the scope and objectives are defined, the IS auditor is ready to
execute the audit plan. The following sections provide guidance for executing an audit.

2
 Day02-Information Systems Auditing Process (Execution)

AUDIT PROJECT MANAGEMENT:

Several steps are required to perform an audit. Adequate Execution is a necessary first step in
performing effective IS audits.
To efficiently use IS audit resources, audit organizations must assess the overall risk for the
general and application areas and related services being audited, and then develop an audit
program that consists of objectives and audit procedures to satisfy the audit objectives.
The audit process requires an IS auditor to gather evidence, evaluate the strengths and
weaknesses of controls based on the evidence gathered through audit tests, and prepare an
audit report that presents to management those issues (i.e., areas of control weaknesses with
recommendations for remediation) in an objective manner

3
 Day02-Information Systems Auditing Process (Execution)

AUDIT PROJECT MANAGEMENT:

The process of auditing includes defining as follows:

• Audit scope,
• Formulating audit objectives,
• Identifying audit criteria,
• Performing audit procedures,
• Reviewing and evaluating evidence,
• Forming audit conclusions and opinions, and
• Reporting to management after discussion with key process owners.

4
 Day02-Information Systems Auditing Process (Execution)

AUDIT PROJECT MANAGEMENT:

Project management techniques for managing and administering audit projects include the
following basic steps:
• Plan the audit engagement—Plan the audit, considering project-specific risk.
• Build the audit plan—Chart out the necessary audit tasks across a timeline, optimizing resource
use. Make realistic estimates of the time requirements for each task with proper consideration
given to the availability of the auditee.
• Execute the plan—Execute audit tasks against the plan.
• Monitor project activity—Report actual progress against planned audit steps to ensure
challenges are managed proactively and the scope is completed within time and budget.

5
 Day02-Information Systems Auditing Process (Execution)

AUDIT OBJECTIVES

Audit objectives refer to the specific goals that must be accomplished by the audit.
In contrast, a control objective refers to how an internal control should function. An audit
generally incorporates several audit objectives.
Audit objectives often focus on confirming that internal controls exist to minimize business risk
and they function as expected.
These audit objectives include assuring compliance with legal and regulatory requirements as
well as the confidentiality, integrity, reliability and availability of information and IT resources.
One of the primary purposes of an IS audit is to identify control objectives and the related
controls that address the objective.

6
 Day02-Information Systems Auditing Process (Execution)

AUDIT PHASES
Each phase in the execution of an audit can be divided into key steps to plan, define, perform
and report the results.
An IS auditor often evaluates IT functions and systems from different perspectives, such as
security (confidentiality, integrity and availability), quality (effectiveness, efficiency), fiduciary
(compliance, reliability), service and capacity.

The audit work program is the audit strategy and plan—it identifies scope, audit objectives and
audit procedures to obtain sufficient, relevant and reliable evidence to draw and support audit
conclusions and opinions.

7
 Day02-Information Systems Auditing Process (Execution)

AUDIT PHASES

8
 Day02-Information Systems Auditing Process (Execution)

Minimum Skills to Develop an Audit Program

The following skills can assist an IS auditor in creating an audit program:
• Good understanding of the nature of the enterprise and its industry to identify and categorize the types of risk and
threat
• Good understanding of the IT space and its components and sufficient knowledge of the technologies that affect
them
• Understanding of the relationship between business risk and IT risk
• A basic knowledge of risk assessment practices
• Understanding of the different testing procedures for evaluating IS controls and identifying the best method of
evaluation, for example:
– The use of generalized audit software to survey the contents of data files (e.g., system logs, user access list)
– The use of specialized software to assess the contents of operating systems, databases and application parameter
files
– Flowcharting techniques for documenting business processes and automated controls
– The use of audit logs and reports to evaluate parameters
– Review of documentation
---Inquiry and observations 9
– Walk-throughs
 Day02-Information Systems Auditing Process (Execution)

AUDIT EVIDENCE COLLECTION TECHNIQUES

Evidence is any information used by an IS auditor to determine whether the entity or data being audited follows the
established criteria or objectives and supports audit conclusions. It is a requirement that conclusions be based on
sufficient, relevant and competent evidence.
When planning the IS audit, the type of audit evidence to be gathered, its use as audit evidence to meet audit
objectives and its varying levels of reliability should be considered.
Audit evidence may include:
• An IS auditor’s observations (presented to management)
• Notes taken from interviews
• Results of independent confirmations obtained by an IS auditor from different stakeholders
• Material extracted from correspondence and internal documentation or contracts with external partners
• The results of audit test procedures
10
 Day01-Information Systems Auditing Process (Execution)

RISK FACTORS:

Evaluation of the risk factors should be based on objective criteria, although subjectivity cannot
be completely avoided.
For example, in respect to the reputation factor, the criteria (based on which inputs can be
solicited from the business) may be rated as:
• High—A process issue may result in damage to the reputation of the organization that will take
more than six months to recover.
• Medium—A process issue may result in damage to the reputation of the organization that will
take less than six months but more than three months to recover.
• Low—A process issue may result in damage to the reputation of the organization that will take
less than three months to recover.
11
 Day01-Information Systems Auditing Process (Execution)

BUSINESS PROCESS E-COMMERCE:

Ecommerce is the buying and selling of goods online. Typically, a buyer purchases goods and
services from a website and provides delivery and payment details, including transfers or
payment orders.
The website may gather details about customers and offer other items that may be of interest.
The term e-business includes buying and selling online as well as customer support or
relationships between businesses.
Ecommerce, as a general model, uses technology to enhance the processes of commercial
transactions among a company, its customers and business partners. The technology used can
include the Internet, multimedia, web browsers, proprietary networks, automatic teller
machines (ATMs) and home banking.

12
 Day01-Information Systems Auditing Process (Execution)

ECOMMERCE TYPES INCLUDE THE FOLLOWING:

• Business-to-business (B-to-B)—Business conducted between organizations

• Business-to-consumer (B-to-C)—Business conducted between an organization and its customers
• Consumer-to-consumer (C-to-C)—Business conducted between customers, primarily using a
third-party platform
• Consumer-to-business (C-to-B)—Business conducted between a consumer and a business. This
is when consumers sell their products or services to a business.
• Business-to-government (B-to-G)—Business conducted between an organization and a public
administration (e.g., government organizations) where the governmental organization promotes
awareness and growth of ecommerce.
• Consumer-to-government (C-to-G)—Business conducted between a consumer and a public
administration or government. An example is electronic tax filing. 13
 Day01-Information Systems Auditing Process (Execution)

Control Classifications

14
 Day01-Information Systems Auditing Process (Execution)

Control Classifications

15
 Day01-Information Systems Auditing Process (Execution)

RISK ASSESSMENT: Please see it before continue

Risk assessments should identify, quantify and prioritize risk against criteria for risk acceptance and objectives
relevant to the organization. The results should guide and determine the appropriate management action,
priorities for managing information security risk and priorities for implementing controls selected to protect
against risk.
Risk assessments should be performed periodically to address changes in the environment, security
requirements, and the risk situation (e.g., in the assets, threats, vulnerabilities, impacts), and when significant
changes occur.
Risk identified in the risk assessment needs to be treated. Possible risk response options include:
• Risk mitigation—Applying appropriate controls to reduce the risk
• Risk acceptance—Knowingly and objectively not taking action, provided the risk clearly satisfies the
organization’s policy and criteria for risk acceptance
• Risk avoidance—Avoiding risk by not allowing actions that would cause the risk to occur
• Risk sharing (transfer)—Transferring the associated risk to other parties (e.g., insurers or suppliers) 16
 Day01-Information Systems Auditing Process (Execution)

RISK ASSESSMENT

17
 Day01-Information Systems Auditing Process (Execution)

Types of Audits and Assessments

An IS auditor should understand the various types of audits that can be performed, internally or
externally, and the basic audit procedures associated with each.
These include:
• IS audit—An IS audit is designed to collect and evaluate evidence to determine whether an
information system and related resources are adequately safeguarded and protected; maintain
data and system integrity and availability; provide relevant and reliable information; achieve
organizational goals effectively.
• Compliance audit—A compliance audit includes specific tests of controls to demonstrate
adherence to specific regulatory or industry-specific standards or practices. These audits often
overlap other types of audits but may focus on particular systems or data

18
 Day01-Information Systems Auditing Process (Execution)

Types of Audits and Assessments

• Financial audit—A financial audit assesses the accuracy of financial reporting. A financial audit will often
involve detailed, substantive testing, although IS auditors are increasingly placing more emphasis on a risk-
and control-based audit approach. This kind of audit relates to financial information integrity and
reliability.
• Operational audit—An operational audit is designed to evaluate the internal control structure in a given
process or area. An IS audit of application controls or logical security systems are examples of an
operational audit.
• Integrated audit—An integrated audit can be performed by external or internal auditors and would
include compliance tests of internal controls and substantive audit steps.
• Administrative audit—An administrative audit is designed to assess issues related to the efficiency of
operational productivity within an organization.
• Specialized audit—Many different types of specialized audits are conducted. Within the category of IS
audit, specialized reviews may examine areas such as fraud or services performed by third parties. 19
 Day01-Information Systems Auditing Process (Execution)

Types of Audits and Assessments

• Fraud audit—A fraud audit is a specialized audit designed to discover fraudulent activity. Auditors often
use specific tools and data analysis techniques to discover fraud schemes and business irregularities.
• Forensic audit—A forensic audit is a specialized audit to discover, disclose and follow up on fraud and
crime. The primary purpose of such an audit is the development of evidence for review by law
enforcement and judicial authorities.
• Computer forensic audit—A computer forensic audit is an investigation that includes the analysis of
electronic devices such as computers, smartphones, disks, switches, routers and hubs. An IS auditor
possessing the necessary skills can assist an information security manager or forensic specialist in
performing forensic investigations and conduct an audit of the system to ensure compliance with the
evidence collection procedures for forensic investigation.
• Functional audit—A functional audit provides an independent evaluation of software products, verifying
that its configuration items’ actual functionality and performance are consistent with the requirement
specifications. Specifically, this audit is held prior to the software delivery or after implementation.
20
Questions????

21