Domain 1: The IS Audit Process

Jimmy Ardiansyah
Arkansas – September 9, 2005
Knowledge Domain
„ 5 Tasks
„ Tasks related to I S Audit to be
carried out by an I S Auditor
„ 10 knowledge statements
„ What are the process requirements
an I S Auditor need to know for
carrying out an I S Audit
The Five Tasks
1. Develop and implement a risk-based IS audit
strategy for the organization in compliance with IS
audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business
systems are protected and controlled.
3. Conduct audits in accordance with IS audit
standards, guidelines and best practices to meet
planned audit objectives.
4. Communicate emerging issues, potential risks
and audit results to key stakeholders.
5. Advise on the implementation of risk management
and control practices within the organization
while maintaining independence.
Ten Knowledge Statements
1. Knowledge of ISACA IS Auditing
Standards, Guidelines and Procedures
and Code of Professional Ethics
2. Knowledge of IS auditing practices and
techniques
3. Knowledge of techniques to gather
information and preserve evidence
4. Knowledge of the evidence life cycle
5. Knowledge of control objectives and
controls related to IS
6. Knowledge of risk assessment in an audit
context
7. Knowledge of audit planning and
management techniques
8. Knowledge of reporting and
communication techniques
9. Knowledge of control self-assessment
(CSA)
10. Knowledge of continuous audit
techniques
Task No.1
Develop and implement a risk-
based IS audit strategy for the
organization in compliance with IS
audit standards, guidelines and
best practices.
Risk Based Audit Approach
„ Align audit tests and findings with the business risks.
„ Audit approach should enable identification of risks.
„ Focus on critical/high risk areas and not on entire
Organization.
„ Focus on risks rather than volume.
„ Audit planning & frequency based on Risk Profile.
„ Reporting focuses on process improvement and risk
management.
„ Efficient commitment of Audit resources
Compliance with Standards,
Guidelines & Procedures

„ Risk assessment helps in selecting auditable

units and include those in the IS annual plan
that have the greatest risk exposure.
„ Risk assessment exercises should be carried
out and documented at least on an annual
basis.
„ Risk assessment allows the IS auditor to
quantify and justify the amount of IS audit
resources needed.
3 Types of Risks:
„ Inherent risk
„ Control risk
„ Detection risk

„ How should the I S Auditor consider these

Risks during the course of an I S Audit?
Inherent Risk
„ Inherent risk is the susceptibility of an audit
area to error which could be material and
there are no related internal controls
„ In assessing the inherent risk, the IS auditor
should consider both pervasive and detailed
IS controls.
Control Risk
„ Control risk is the risk that an error which could occur
in an audit area, and which could be material, will not
be prevented or detected and corrected on a timely
basis by the internal control system.
Control Risk
The IS auditor should assess the control risk
as high unless relevant internal controls are:

„ Identified
„ Evaluated as effective
„ Tested and proved to be operating
appropriately
Detection Risk
„ Detection risk is the risk that the IS
auditor’s substantive procedures will
not detect an error which could be
material.
„ In determining the level of substantive
testing required, the IS auditor should
consider both:
„ The assessment of inherent risk
„ The conclusion reached on control risk
following compliance testing
„ The higher the assessment of inherent
and control risk the more audit
evidence the IS auditor should normally
obtain from the
performance of substantive audit
procedures.
Task No. 2
„ Plan specific audits to ensure
that IT and business systems
are protected and controlled.
Plan Specific Audits
„ The IS auditor should plan the information
systems audit coverage.
„ The IS auditor should develop and document
an audit plan.
„ The IS auditor should develop an audit
program.
Components of Planning
Process
„ Business requirements
„ Knowledge Requirements
„ Materiality
„ Risk assessment
„ Internal Control Evaluation
„ Documentation
Materiality
„ IS auditor should ordinarily establish levels of
planning materiality such that the audit work
will be sufficient to meet the audit objectives
and will use audit resources efficiently.
Risk Assessment

„ To provide reasonable assurance that all

material items will be adequately covered
during the audit work.
„ Should identify areas with relatively high risk
of existence of material problems.
Internal Control Evaluation
„ Provides a basis for reliance upon
information being gathered as a part of the
auditing project
„ What do you evaluate:
„ Existence of controls (Compliance Testing)
„ Effectiveness of control (Substantive
Testing)
„ Effect of irregular or illegal acts
The Effect of Lack of Controls

„ Loss of information confidentiality and privacy

„ Systems not being available for use when
needed
„ Unauthorized access and changes to
systems, applications or data
„ integrity, loss of data protection or systems
unavailability
Examples of I S Controls

„ Implementation of software packages

„ System security parameters
„ Disaster recovery planning
„ Data input validation
„ Exception report production
„ Locking of user accounts after invalid
attempts to access them.
Effect of Pervasive Controls

„ Strong pervasive IS controls can contribute to

the assurance which may be obtained by an IS
auditor in relation to detailed IS controls
„ Weak pervasive IS controls may undermine
strong detailed IS controls or exacerbate
weaknesses at the detailed level
Task No.3
„ Conduct audits in accordance with
IS audit standards, guidelines and
best practices to meet planned
audit objectives.
Performance of Audit Work
„ Supervision
„ Evidence
„ Documentation
Supervision
„ IS audit staff should be supervised
to provide reasonable assurance
that audit objectives are
accomplished and applicable
professional auditing standards
are met.
Evidence
„ During the course of the audit, the IS auditor
should obtain sufficient, reliable and relevant
evidence to achieve the audit objectives. The
audit findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.
Documentation
„ The audit process should be
documented, describing the audit
work performed and the audit
evidence that supports supporting
the IS auditor's findings and
conclusions.
Task No.4
„ Communicate emerging
issues, potential risks and
audit results to key
stakeholders.
Communicating
„ The IS auditor should provide a report, in an
appropriate form, upon completion of the
audit.
„ The report should identify the organization,
the intended recipients and any restrictions
on circulation.
„ The audit report should state the scope,
objectives, period of coverage and the
nature, timing and extent of the audit work
performed.
Reporting and Presentation
Criteria
„ Measurable—Provide for consistent
measurement
„ Objective—Free from bias
„ Complete—Include all relevant factors to
reach a conclusion
„ Relevant—Relate to the subject matter
Types of Services

An IS auditor may perform any of the following:

„ Audit (direct or attest)
„ Review (direct or attest)
„ Agreed-upon procedures
Audit Opinion
„ The IS auditor’s opinion is restricted
because of the nature of internal controls
and the inherent limitations of any set of
internal controls and their operations. These
limitations include:
„ Management’s usual requirement that the
cost of an internal control does not
exceed the expected benefits to be
derived
„ Most internal controls tend to be directed
at routine rather than non routine
transactions/events
Audit Opinion
„ The possibility that management may not
be subject to the same internal controls
applicable to other personnel
„ The possibility that internal controls may
become inadequate due to changes in
conditions, and compliance with
procedures may deteriorate
Task No. 5
„ Advise on the implementation of risk
management and control practices
within the organization while
maintaining independence.
Other Knowledge Requirements

„ Knowledge of control self-

assessment (CSA)
„ Knowledge of continuous audit
techniques
References:
„ CISA Review Manual
„ ISACA.org
„ IITG.org
Information
„ To obtain the copy (.ppt file), please send
request to:
tek-kom-moderator@yahoogroups.com
or visit to:
http://komputer-teknologi.net