Beruflich Dokumente
Kultur Dokumente
Jimmy Ardiansyah
Arkansas – September 9, 2005
Knowledge Domain
5 Tasks
Tasks related to I S Audit to be
carried out by an I S Auditor
10 knowledge statements
What are the process requirements
an I S Auditor need to know for
carrying out an I S Audit
The Five Tasks
1. Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS
audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business
systems are protected and controlled.
3. Conduct audits in accordance with IS audit
standards, guidelines and best practices to meet
planned audit objectives.
4. Communicate emerging issues, potential risks
and audit results to key stakeholders.
5. Advise on the implementation of risk management
and control practices within the organization
while maintaining independence.
Ten Knowledge Statements
1. Knowledge of ISACA IS Auditing
Standards, Guidelines and Procedures
and Code of Professional Ethics
2. Knowledge of IS auditing practices and
techniques
3. Knowledge of techniques to gather
information and preserve evidence
4. Knowledge of the evidence life cycle
5. Knowledge of control objectives and
controls related to IS
6. Knowledge of risk assessment in an audit
context
7. Knowledge of audit planning and
management techniques
8. Knowledge of reporting and
communication techniques
9. Knowledge of control self-assessment
(CSA)
10. Knowledge of continuous audit
techniques
Task No.1
Develop and implement a risk-
based IS audit strategy for the
organization in compliance with IS
audit standards, guidelines and
best practices.
Risk Based Audit Approach
Align audit tests and findings with the business risks.
Audit approach should enable identification of risks.
Focus on critical/high risk areas and not on entire
Organization.
Focus on risks rather than volume.
Audit planning & frequency based on Risk Profile.
Reporting focuses on process improvement and risk
management.
Efficient commitment of Audit resources
Compliance with Standards,
Guidelines & Procedures
Identified
Evaluated as effective
Tested and proved to be operating
appropriately
Detection Risk
Detection risk is the risk that the IS
auditor’s substantive procedures will
not detect an error which could be
material.
In determining the level of substantive
testing required, the IS auditor should
consider both:
The assessment of inherent risk
The conclusion reached on control risk
following compliance testing
The higher the assessment of inherent
and control risk the more audit
evidence the IS auditor should normally
obtain from the
performance of substantive audit
procedures.
Task No. 2
Plan specific audits to ensure
that IT and business systems
are protected and controlled.
Plan Specific Audits
The IS auditor should plan the information
systems audit coverage.
The IS auditor should develop and document
an audit plan.
The IS auditor should develop an audit
program.
Components of Planning
Process
Business requirements
Knowledge Requirements
Materiality
Risk assessment
Internal Control Evaluation
Documentation
Materiality
IS auditor should ordinarily establish levels of
planning materiality such that the audit work
will be sufficient to meet the audit objectives
and will use audit resources efficiently.
Risk Assessment