Audit of Information

Technology
Chapter 1: Audit Process Information
Systems

Adrin Hernndez Medina

Alejandra Ramrez Antonio
Beatriz Alicia Rivera Mendoza

July 25, 2015

Content
Introduction
Quick Reference
Management of Information Systems Audit
Function
Standards and Guidelines and Audit Assurance
ISACA
Risk analysis
Internal Controls
Perform Audits of Information Systems
Self-Assessment of Control
Emerging changes in the Auditing Process
Conclusions
Questions

Introduction
Since 1978, the Certified Information
Systems Auditor (CISA) program, sponsored
by ISACA, has been the globally accepted
standard among information systems (IS)
audit, control, and security professionals.

Quick Reference

Management of Information Systems

Audit Function

Standards and Guidelines and Audit

Assurance ISACA

ISACA sets forth this Code of Professional

Ethics to guide the professional and
personal conduct of members of the
association and / or its certification holders.

Code of Professional Ethics

GENERAL FRAMEWORK OF STANDARDS

IT audit and assurance

Underwriting guidelines and IT audit

The aim of underwriting guidelines and

IASACA IT audit is to provide additional
information on how to comply with auditing
and assurance standards ISACA. The auditor
should:

Use professional judgment to apply in

specific audits.
To justify any difference.
9

Index underwriting guidelines and IT

audit

G1 Using the Work of Other Auditors with effect from March 1, 2008
G2 Audit Evidence Requirement with effect from May 1, 2008

G3 Techniques Using Computer Assisted Audit (CAATs) with effect from March 1, 2008
G4 outsourcing SI activities for other organizations with effect from May 1, 2008
G5 Audit Charter with effect from February 1, 2008
G6 Materiality Concepts for Auditing Information Systems with effect from May 1, 2008
G7 Due Professional Care with effect from March 1, 2008
G8 Audit Documentation with effect from March 1, 2008
G9 Audit Considerations for Irregularities and Illegal Acts effective from 1 September 2008
G10 Audit Sampling with effect from August 1, 2008
G11 Effect of General Controls SI with effect from August 1, 2008
G12 Organisational Relationship and Independence effect from August 1, 2008
G13 Use of Risk Assessment in Audit Planning with effect from August 1, 2008
G14 Review of application systems in force since 1 December 2008
G15 audit planning effective from May 1, 2010
G16 Effect of Third Parties on IT controls of an organization with effect from March 1, 2009
G17 Effect of Non-Audit role on the IT audit and assurance professional Independence effective from May 1, 2010
G18 IT Governance effective from 1 July 2002
G19 Irregularities and Illegal Acts Removed September 1, 2008
G20 Techniques current report from September 16, 2006

10

Index underwriting guidelines and IT

audit

G21 Review System enterprise resource planning (ERP) effective as of September 16, 2010
G22 Review of e-commerce business-to-customer (B2C) effective as of August 1, 2003
G23 Review Life Cycle Systems Development (SDLC) with effect from August 1, 2003
G24 Internet Banking with effect from August 1, 2003
G25 Review of Virtual Private Networks with effect from July 1, 2004
G26 Project Review of Business Process Reengineering (BPR) with effect from July 1, 2004

G27 Mobile Computing with effect from September 1, 2004

G28 Computer Forensics with effect from September 1, 2004
G29 Post-implementation review with effect from January 1, 2005
G30 Competition with effect from June 1, 2005
G31Privacy with effect from June 1, 2005
G32 Review of business continuity planning from an IT perspective with effect from September 1, 2005
G33 General Considerations on the Use of the Internet with effect from March 1, 2006
G34 Responsibility, Authority and Accountability with effect from March 1, 2006
G35
G36
G37
G38
G39

Follow-up with effect from March 1, 2006

Biometric Controls with effect from February 1, 2007
Configuration Management with effect from November 1, 2007
Access Control with effect from February 1, 2008
IT organizations with effect from May 1, 2008

G40 Review of Security Management Practices in force since 1 December 2008

G41 Return on security investment (ROSI) effective from May 1, 2010
G42 Continuous Assurance effective from May 1, 2010

11

Index of tools and techniques IT Audit

and Assurance

12

Index of tools and techniques IT Audit

and Assurance

13

INFORMATION TECHNOLOGY
ASSURANCE FRAMEWORK (ITAF)

14

Section 2200 General Standards

15

Section 2400Performance Standards

16

Section 2600 -Standards on Reports

17

Section 3000-IT Assurance Guidelines

18

Section 3200-related business topics

19

Section 3400-IT management processes

20

Section 3600-assurance processes and

IT audit

21

Section 3800-Management Audit and

Assurance IT

22

Risk analysis

23

Internal Controls

24

Perform Audits of Information Systems

To perform an audit, several steps are required.
Proper planning is the necessary first step for
effective audits

25

Classification of audits

26

General Audit Procedures

27

Phases of the audit

28

Risk Types

29

Risk Treatment

30

Objectives of the audit

31

Evidences

32

Sampling

33

Methods sampling

34

Auditing techniques assisted by

computer
CAATs are important tools for the auditor to gather
information from these environments. These same
include many types of tools and techniques, such
as use software generalize audit (GAS), among
others.
GAS refers to the standard software that has the
ability to read and access the data directly from
various BD platforms, systems and ASCII flat file
formats.

35

Communication of audit results

36

Audit documentation

37

Self-Assessment of Control

38

Self-Assessment of Control
Feature
Feature

Description
Description

CSA target

Leverage internal audit function by changing some of the

responsibilities of monitoring.
Educate management about the design and monitoring of
controls, particularly in the areas of concentration risk.

CSA benefits

Early detection of risk

More effective and improved internal controls
Increased awareness of employees about the objectives
of the organization
Highly motivated employees
Increased safety of stakeholders and clients
Reduced cost control
Greater communication between operational managers
and senior management

Disadvantages
of CSA

It could be confused with the replacement of the audit

function
It is considered one additional workload
Not implement the suggested improvements could
damage employee morale
39

Emerging changes in the Auditing

Process

40

Conclusions
Auditing
information
systems
provide
information about the state in which are the
systems and starting in the report
generated allows senior management to
take the necessary measures to achieve
business goals.

41

Referencias

ISACA. (2012). Examination Preparation

Manual, CISA. ISACA

42