Conducting the IT Audit Revised on 2014
Content ISACA IT Audit Standards, Guidelines and Procedures IT Audit Lifecycle Audit Work papers Using COBIT framework to perform audit CISB424, Sulfeeza
ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) A comprehensive and good-practice-setting reference model that: Establishes standards that address IS audit and assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements Defines terms and concepts specific to IS assurance Provides guidance and tools and techniques on the planning, design, conduct and reporting of IS audit and assurance assignments (Source: ISACA) CISB424, Sulfeeza
ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) provides three (3) levels of guidance: A) Standards – define mandatory requirements for IT auditing and reporting. ITAF IS audit and assurance standards are divided into three (3) categories: General standards (1000 series) —Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza
ISACA IT Audit Standards, Guidelines and Procedures IT Assurance Framework (ITAF) provides three (3) levels of guidance and procedures: B) Guidelines – provide guidance in applying IT audit standards. ITAF IS audit and assurance guidelines are also divided into three (3) categories: General guidelines (2000 series) Performance guidelines (2200 series) Reporting guidelines (2400 series) C) Tools and techniques (Section 3000) provide specific information on various methodologies, tools and templates—and provide direction in their application and use to operationalize the information provided in the guidance (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza
1. Audit Planning & Preparation IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza
IT Audit Lifecycle – Planning & Preparation Auditor assignment Audit request 1. Identification of audit objectives, scope, tasks and duration 2. Preliminary study of the auditee’s operations and environment 1. Selection of audit team members 2. Allocation of tasks to each team member 3. Deciding when tasks should commence 4. Estimation of duration for each task based on the allocated auditors 1. Engagement letter to auditee CISB424, Sulfeeza
IT Audit Lifecycle – Execution Fieldwork Solution development Report Issuance 1. Review of risks and internal controls implemented 2. Testing of controls Sampling approaches: Non-statistical/judgmental sampling Statistical sampling 3. Risk assessment 4. Identification and development of findings Component of a finding: Criteria Standards where observed conditions will be measured Conditions The actual observations during audit testing Effects The impact to business associated with the observed problem Cause Reasons for internal control failures 1. Propose recommendations a. No changes b. Improve control c. Transfer of risk Recommendation approaches: Recommendation Approach Auditors provide recommendations for the raised issues Inquire auditees on their agreements of the proposed recommendations Management-Response Approach Auditors highlight issues Auditees provide the responses and action plans Solution Approach Collaboration work between auditors and auditees in coming out with solutions to resolve issues 1. Conduct exit meeting: To discuss the findings, recommendations, and text of the draft. The auditees may comment on the draft and the group works to reach an agreement on the audit findings 2. Draft Report 3. Final Report CISB424, Sulfeeza
IT Audit Lifecycle – Follow Up Recommendations Evaluation Self-assessment 1. Determine and assess whether audit recommendations have been implemented 2. Follow-up report development and issuance 1. Perform self-assessment on the audit assignment CISB424, Sulfeeza
Audit work papers Objectives: Document the planning, performance, and review of audit work – include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment. Facilitate third-party reviews and re-performance requirements – provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re- perform procedures. Provide a basis for evaluating the internal audit activity's quality control program – tangible representation of the project that can be assessed during the quality review. Source(: Practice Advisory 2330-1: Recording Information from the International Standards for the Professional Practice of Internal Auditing (Standards) CISB424, Sulfeeza
Audit work papers The work papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. Therefore, the work papers will: Provide documentation of evidences Support findings and recommendations CISB424, Sulfeeza
Work papers and audit cycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up Audit plan Audit program Audit working papers Draft audit report Final audit report Follow-up checklist Follow-up report CISB424, Sulfeeza
Audit Plan A detailed outline of the auditor's plans and procedures used in conducting an audit. An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions the audit program how, when, and to whom audit results will be communicated CISB424, Sulfeeza
Audit Program A detailed step-by-step procedures to be followed during an audit. Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow CISB424, Sulfeeza
Audit Checklists Consists of: Things to be done Persons who have done it Reason(s) for not doing it (if any) Date of execution CISB424, Sulfeeza
Audit Findings Worksheet Consists of: Condition Criteria Cause Effect Recommendation CISB424, Sulfeeza
Audit Report Sample audit report A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls. Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline Sample audit report (http://www.nserc-crsng.gc.ca/_doc/Reports-Rapports/Audits- Verifications/IT05Full-IT05Detaille_eng.pdf) CISB424, Sulfeeza
COBIT® Was introduced to meld existing IT standards and best practices into a comprehensive structure to achieve international accepted governance standards Encompasses full range of IT activities and processes which focus on the achievement of control objectives Is designed to be utilized by different set of entities in an organization: Top management – to ensure value is obtained from the IT investment; and risk and control is balanced Middle management – to ensure that management and control of IT resources is appropriate IT management – to ensure that business strategy is supported by IT resources in a controlled and appropriate management manner IT auditor – to evaluate adequacy of controls, design appropriate tests to determine the controls’ effectiveness, and provide management with appropriate advice on the IT related internal controls (Source: Cascarino, 2012) CISB424, Sulfeeza
COBIT® Framework a) Planning and Organizing Domain (10 processes) Processes undertaken by management in order to ensure that IT function is properly planned and controlled to provide assurance that IT objectives will be achieved b) Acquire and Implement (7 processes) Processes involved in identifying solutions through to installation and accreditation of solutions and changes c) Deliver and Support (13 processes) Processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance d) Monitor and Evaluate (4 processes) Processes required to monitor the overall IT performance and ensure effective IT governance CISB424, Sulfeeza