conducting the it audit revised on 2014. content isaca it audit standards, guidelines and procedures...
TRANSCRIPT
Conducting the IT Audit
Revised on 2014
Content• ISACA IT Audit Standards, Guidelines and
Procedures
• IT Audit Lifecycle
• Audit Work papers
• Using COBIT framework to perform audit
CIS
B42
4, S
ulfe
eza
ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF)
A comprehensive and good-practice-setting reference model that:1. Establishes standards that address IS audit and
assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements
2. Defines terms and concepts specific to IS assurance3. Provides guidance and tools and techniques on the
planning, design, conduct and reporting of IS audit and assurance assignments
(Source: ISACA)
CIS
B42
4, S
ulfe
eza
ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF) provides three (3) levels of guidance:
A) Standards – define mandatory requirements for IT auditing and reporting.ITAF IS audit and assurance standards are divided into three (3) categories:1. General standards (1000 series) —Are the guiding principles
under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill.
2. Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
3. Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
(Source: ISACA; Cascarino, 2012)
CIS
B42
4, S
ulfe
eza
ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF) provides three (3) levels of guidance and procedures:B) Guidelines – provide guidance in applying IT audit
standards.ITAF IS audit and assurance guidelines are also divided into three (3) categories:
1. General guidelines (2000 series)2. Performance guidelines (2200 series)3. Reporting guidelines (2400 series)
C) Tools and techniques (Section 3000) provide specific information on various methodologies, tools and templates—and provide direction in their application and use to operationalize the information provided in the guidance
(Source: ISACA; Cascarino, 2012)
CIS
B42
4, S
ulfe
eza
IT Audit Lifecycle
1. Audit Planning & Preparatio
n
2. Audit Execution
3. Audit Follow-up
CIS
B42
4, S
ulfe
eza
IT Audit Lifecycle – Planning & Preparation
CIS
B42
4, S
ulfe
eza
1. Identification of audit objectives, scope, tasks and duration
2. Preliminary study of the auditee’s operations and environment
1. Selection of audit team members
2. Allocation of tasks to each team member
3. Deciding when tasks should commence
4. Estimation of duration for each task based on the allocated auditors
1. Engagement letter to auditee
PlanningAuditor
assignment
Audit request
IT Audit Lifecycle – Execution
CIS
B42
4, S
ulfe
eza
1. Review of risks and internal controls implemented
2. Testing of controlsSampling approaches:
• Non-statistical/judgmental sampling• Statistical sampling
3. Risk assessment4. Identification and development of
findingsComponent of a finding:Criteria
• Standards where observed conditions will be measured
Conditions• The actual observations during
audit testingEffects• The impact to business associated
with the observed problemCause • Reasons for internal control failures
1. Propose recommendationsa. No changesb. Improve controlc. Transfer of risk
Recommendation approaches:Recommendation Approach• Auditors provide recommendations
for the raised issues• Inquire auditees on their agreements
of the proposed recommendationsManagement-Response Approach• Auditors highlight issues• Auditees provide the responses and
action plansSolution Approach• Collaboration work between auditors
and auditees in coming out with solutions to resolve issues
FieldworkSolution
developmentReport
Issuance
1. Conduct exit meeting:
a) To discuss the findings, recommendations, and text of the draft.
b) The auditees may comment on the draft and the group works to reach an agreement on the audit findings
2. Draft Report3. Final Report
IT Audit Lifecycle – Follow Up
CIS
B42
4, S
ulfe
eza
1. Determine and assess whether audit recommendations have been implemented
2. Follow-up report development and issuance
1. Perform self-assessment on the audit assignment
Recommendations Evaluation
Self-assessment
Audit work papersObjectives:1. Document the planning, performance, and review of audit work
– include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps.
2. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment.
3. Facilitate third-party reviews and re-performance requirements – provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re-perform procedures.
4. Provide a basis for evaluating the internal audit activity's quality control program – tangible representation of the project that can be assessed during the quality review.
Source(: Practice Advisory 2330-1: Recording Information from the International Standards for the Professional Practice of Internal Auditing (Standards)
CIS
B42
4, S
ulfe
eza
Audit work papers
• The work papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report.
• Therefore, the work papers will:a) Provide documentation of evidencesb) Support findings and recommendations
CIS
B42
4, S
ulfe
eza
Work papers and audit cycle
CIS
B42
4, S
ulfe
eza
1. Audit Planning & Preparatio
n
2. Audit Execution
3. Audit Follow-up
1.Audit plan2.Audit program
1.Audit working papers2.Draft audit report3.Final audit report
1.Follow-up checklist 2.Follow-up report
Audit Plan• A detailed outline of the auditor's plans and procedures used in conducting an audit.
• An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the
risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with
the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions
the audit program how, when, and to whom audit results will be communicated
CIS
B42
4, S
ulfe
eza
Audit Program
• A detailed step-by-step procedures to be followed during an audit.
• Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow
CIS
B42
4, S
ulfe
eza
Audit Checklists• Consists of:
Things to be done Persons who have done it Reason(s) for not doing it (if any) Date of execution
CIS
B42
4, S
ulfe
eza
Audit Findings Worksheet• Consists of:
Condition Criteria Cause Effect Recommendation
CIS
B42
4, S
ulfe
eza
Audit Report• A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls.
• Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline
• Sample audit report (http://www.nserc-crsng.gc.ca/_doc/Reports-Rapports/Audits-Verifications/IT05Full-IT05Detaille_eng.pdf)
CIS
B42
4, S
ulfe
eza
COBIT®
CIS
B42
4, S
ulfe
eza
• Was introduced to meld existing IT standards and best practices into a comprehensive structure to achieve international accepted governance standards
• Encompasses full range of IT activities and processes which focus on the achievement of control objectives
• Is designed to be utilized by different set of entities in an organization:1. Top management – to ensure value is obtained from the IT
investment; and risk and control is balanced2. Middle management – to ensure that management and
control of IT resources is appropriate3. IT management – to ensure that business strategy is
supported by IT resources in a controlled and appropriate management manner
4. IT auditor – to evaluate adequacy of controls, design appropriate tests to determine the controls’ effectiveness, and provide management with appropriate advice on the IT related internal controls
(Source: Cascarino, 2012)
COBIT® Framework
CIS
B42
4, S
ulfe
eza
a) Planning and Organizing Domain (10 processes)Processes undertaken by management in order to ensure that IT function is properly planned and controlled to provide assurance that IT objectives will be achieved
b) Acquire and Implement (7 processes)Processes involved in identifying solutions through to installation and accreditation of solutions and changes
c) Deliver and Support (13 processes)Processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance
d) Monitor and Evaluate (4 processes)•Processes required to monitor the overall IT performance and ensure effective IT governance