Sequence

1. Audit charter or engagement letter

2. Preplanning the audit
3. Performing a risk assessment
4. Determining whether an audit is possible
5. Performing the actual audit
6. Gathering evidence
7. Performing audit tests
8. Analyzing the results
9. Reporting the results
10.Conducting any follow-up-activities
2
 IS Audit Process Flow chart

the Audit
It includes
Information gathering
Knowledge of the business itself
Strategic objectives
Financial Objectives
Operational objectives for internal control
Identifying restrictions on scope
Understanding the variety of audits
Systematic approach to planning

5
 3- Performing a Risk Assessment

The auditor will need to identify potential risks to the organization

The auditee will assist by providing information about
their organization
Risk management includes
Identify assets, threats, vulnerabilities and existing controls
Perform risk assessment
Formulate a risk treatment plan
Accept
Reduce
Transfer
Avoid

6
 4- Determining whether an audit is Possible

Lack of sufficient and reliable evidence

Existence of any third-party service providers
Etc.

7
 5- Perform the actual Audit
Allocating staffing
Audits Org structure
Skills matrix
Using the work of other people
Ensure audit quality control
Audit standards, guidelines, and procedures were developed to promote quality and consistency in a
typical audit by ISACA and other organizations
Define auditee communications
Perform proper data collection
Auditor needs to determine how data will be gathered for evidence to support the audit report
Data collection techniques
Staff observation
Document review
Interviews
Workshops
Computer assisted audit tools (CAAT)
Surveys
Review existing controls (review the existing internal controls that are intended to prevent,
detect, or correct problems)

8
 6- Gathering Audit Evidence

Evidence is a collection of verifiable information that is used to prove

or disprove a point
Typical Evidence for IS Audits includes
Documentary evidence, which can include a business record of
transactions, receipts, invoices, and logs etc.
Data extraction, which mines details from data files using automated
tools
Auditee claims, which are representations made in oral or
written statements
Analysis of plans, policies, procedures, and flowcharts
Results of compliance and substantive audit tests
Auditors observations of auditee work

9
 7- Performing Audit Tests
Two basic methods have been used for audit testing
Compliance testing
Substantive testing
Compliance testing tests for the presence or absence of
something
Information security policy present or not
System audit Logs activated or not
Backup copies present or not etc.
Substantive testing seeks to verify the content and integrity
of evidence, it may include
Complex calculations to verify account balances
Perform physical inventory counts
Execute sample transactions to verify the accuracy , etc.

10
 8- Analyzing the Results

The goal is to determine if samples tested by the auditor

indicate conformity (meets requirement) or nonconformity
(fails requirement)
Sufficiency of evidence
Is there enough evidence of sufficient quantity and quality to fulfill
the intended purpose and scope of the audit? If not, the auditor
will not be able to prove conformity
Contradictory evidence
Contradictory evidence suggests either the auditor is doing
something wrong or you have discovered evidence proving a
problem actually exists (nonconformity)

11
 9- Report Audit Findings

Reporting is the process by which the auditor conveys to

management their findings, it includes
A title that includes the word independent (for an external audit)
The applicable date of the report
Identification of the parties
An executive summary
Any visual representations, charts, graphs, or diagrams
A statement of the standards followed during the audit
A statement of the procedures performed
A statement of any auditor concerns, reservations
Detailed findings and the auditors opinion
Auditor signature and contact information
12
 10- Conduct any follow-up-activities

Sometimes events of concern are discovered, or

occur, after an audit has been completed
Events pose a material challenge to your final report
These may require additional disclosures or
adjustments to your report based on the nature of the
event that was recently discovered or occurred