SYS A- 320

I NFORMATION S YSTEM
A UDIT
L E C T U R E 2: T he process of Audi ti n g
Information Systems

C o urse Lecturer:
C h i kondi Chisanga Funsani
(Mrs)
 LE S S O N OUTCOMES

a. Role of IS Auditor
b. Describe the skills required for an IS audit process
c. Approaches to auditing process
d. Discus the Risk based approach to IS Auditing
e. Explain why an auditor should always also consider
risks involved in an organization when conducting an IS
audit
3
f. Types of information system audit
 ROLE OF IS AUDITOR
 An Information System (IS) auditor plays a crucial role in
evaluating the effectiveness and efficiency of an
organization's information systems, related processes and
controls. Their responsibilities include:
 Assessing IS risks and controls.
 Evaluating IS governance and management practices.
 Examining IS compliance with legal and regulatory requirements.
 Conducting IT audits and security reviews.
 Providing independent and objective opinions on the IS controls
and systems.
 Recommending improvements to enhance the organization's IS
practices and security posture.
ROLE OF IS AUDITOR CONT’

 The ultimate goal of an IS auditor is to ensure

the confidentiality, integrity, and availability of
an organization's information and its systems,
and to support the organization in achieving its
objectives.
SKILLS REQUIRED FOR AN IS AUDIT
PROCESS
 An Information System (IS) auditor requires a range
of technical, business and interpersonal skills to
perform their role effectively. Some of the key skills
required for an IS auditor include:
 Technical knowledge: Understanding of
information systems, networks, databases,
security and programming.

 Auditing skills: Knowledge of auditing

principles, methodologies, and techniques, as well
as experience in conducting IT audits.

 Risk assessment: Ability to identify, assess, and

prioritize information systems risks
SKILLS REQUIRED FOR AN IS AUDIT
PROCESS CONT’
 Compliance knowledge: Familiarity with laws,
regulations, and standards related to information security
and privacy.

 Problem-solving skills: Ability to analyze complex

systems and processes, and identify potential areas of
weakness

 Communication skills: Ability to clearly and effectively

communicate audit findings, recommendations, and
action plans to stakeholders.
 SKILLS REQUIRED FOR AN IS AUDIT
PROCESS CONT’

 Project management skills: Ability to manage

multiple projects and deliver high-quality results within
tight timelines.

 Adaptability: Ability to keep up with changes in

technology, regulations, and industry standards.

 In summary, an IS auditor should have a strong technical

background, combined with good communication and
interpersonal skills, as well as a commitment to
continuous learning and improvement.
 APPROACHES TO INFORMATION SYSTEM (IS)
AUDIT

 There are several approaches to Information System (IS)

auditing, including:
 Compliance-based approach: This approach focuses on
evaluating the compliance of IS systems and processes with
legal, regulatory, and organizational requirements.
 The goal is to ensure that IS is operating in accordance

with established standards and policies.

 Control-based approach: This approach focuses on

evaluating the design and effectiveness of IS controls, such
as access controls, data backup and recovery, and disaster
recovery plans.
 The goal is to ensure that the IS environment is secure

and that the confidentiality, integrity, and availability of

data are protected.
APPROACHES TO INFORMATION SYSTEM
AUDIT CONT’
 Risk-based approach: This approach prioritizes IS
auditing efforts based on the level of risk associated with
specific IS systems, processes, and data.
 The goal is to ensure that auditing efforts are focused
on areas that pose the greatest risk to the organization.

 Performance-based approach: This approach focuses

on evaluating the performance of IS systems and
processes.
 The goal is to identify areas for improvement and
ensure that IS is contributing effectively to the
organization's goals and objectives.
 APPROACHES TO INFORMATION SYSTEM
AUDIT CONT’
 Process-based approach: This approach focuses on
evaluating the end-to-end processes that are supported
by IS, such as procurement, financial reporting, or
human resources.
 The goal is to ensure that IS is integrated with and
supporting key business processes.

 Each approach has its own strengths and weaknesses,

and the choice of approach will depend on the specific
requirements of the IS audit and the goals of the
organization.

 In practice, a combination of approaches is often used to

achieve a comprehensive assessment of the IS
environment.
RISK BASED APPROACH TO IS AUDITING
 The risk-based approach to Information System (IS)
auditing involves prioritizing auditing efforts based on the
level of risk associated with specific IS systems, processes,
and data.

 This approach takes into account the potential impact to the

organization if a control failure or security breach were to
occur.

 In a risk-based IS audit, auditors assess the level of risk

associated with different aspects of the IS environment and
prioritize their audit efforts accordingly.

 This may include evaluating the sensitivity of data, the

criticality of systems and processes, and the potential
consequences of a control failure or security breach.
 THE BENEFITS OF A RISK-BASED IS AUDIT
INCLUDE:
 Helps to identify potential areas of weakness or vulnerabilities in the
organization's systems and processes.
 Improved focus: By focusing audit efforts on higher risk areas, auditors
can ensure that they are addressing the most critical issues first.
 Increased efficiency: By avoiding low-risk areas, auditors can complete
their work more quickly and cost-effectively.
 Improved decision making: By understanding the level of risk associated
with different aspects of the IS environment, auditors can make more
informed recommendations for improvements.
 Better risk management: By identifying and prioritizing risks, auditors
can help organizations to manage risk more effectively and ensure that the
IS environment is secure and control risks are minimized.
THE BENEFITS OF A RISK-BASED IS AUDIT
CONT’
 By evaluating the risk of a particular process or
system, the auditor can ensure that appropriate
controls are in place to mitigate those risks, and
that any vulnerabilities are addressed.

 This approach helps to promote accountability,

transparency and confidence in the organization's
systems and processes, and ultimately, its financial
reporting.
 ISACA IT AUDIT AND ASSURANCE
STANDARDS AND GUIDE LINES
 ISACA (Information Systems Audit and Control
Association) is a globally recognized professional association
for individuals and organizations involved in information
security, assurance, risk management, and governance.

 ISACA provides a framework of standards and guidelines

for IT audit and assurance professionals to follow.

 The most commonly used ISACA standards and guidelines

for IT audit and assurance include:
 COBIT (Control Objectives for Information and related
Technology):
 A framework for IT governance and management that provides a
comprehensive set of best practices for the management of IT
processes and technologies.
TYPES OF INFORMATION SYSTEM AUDIT
 There are several types of information system (IS)
audits, including:
 Compliance Audit: Evaluates the adherence of IS to legal
and regulatory requirements, policies and standards.

 Operational Audit: Examines the efficiency and

effectiveness of IS operations and their contribution to the
organization's goals.

 Security Audit: Assesses the security of IS systems, data,

and networks, to identify vulnerabilities and ensure the
protection of sensitive information.
TYPES OF INFORMATION SYSTEM AUDIT
 Financial Audit: Verifies the accuracy and reliability of IS-
generated financial information and ensures compliance
with accounting standards.

 Performance Audit: Measures the performance of IS

systems and processes and makes recommendations for
improvement.

 Disaster Recovery Audit: Evaluates the organization's

disaster recovery plans and procedures to ensure that they
are effective and capable of restoring systems and data in
the event of a disaster.

 IT Governance Audit: Assesses the alignment of IS with

the organization's goals and objectives, and the effectiveness
of its IT governance(controla) processes
 ISACA IT AUDIT AND ASSURANCE
STANDARDS AND GUIDE LINES
 IT Assurance Framework (ITAF): A guide for conducting
IT audits, which provides a systematic approach to the audit
process, including planning, execution, and reporting.

 Val IT: A framework for managing the value of IT

investments that provides guidance on aligning IT
investments with business objectives and ensuring the
delivery of expected benefits.

 Risk IT: A framework for IT risk management that

provides a systematic approach to managing risk in the IT
environment and aligning IT risk management with overall
enterprise risk management.

 By adhering to these standards and guidelines, IT audit and

assurance professionals can ensure the quality of their work and
provide valuable insight and recommendations to their
organizations.
MANAGEMENT OF AUDITING
FUNCTION
 ISACA IT Audit and Assurance Standards and
Guidelines provide a framework for the management
of the auditing function within an organization.

 These standards and guidelines provide direction on

how to effectively plan, execute, and report on IT
audits, as well as how to manage the overall IT audit
and assurance program.

 To effectively manage the auditing function, the

following steps can be taken, with reference to ISACA
standards and guidelines:
END OF LECTURE 1

THANK YOU!

23
R E F E R E N C E S & F U RT H E R R E A D I N G
⚫ Cascarino, R.E., 2007. Auditor's guide to information
systems auditing. John Wiley & Sons.
⚫ Champlain, J.J., 2003. Auditing information systems. John
Wiley & Sons.
⚫ Hunton, J.E., Bryant, S.M., and Bangranoff, N.A..2004. Core
Concepts of Information Technology Auditing. John Wiley
and Sons.
⚫ Weber, R.A.1998. Information Systems Control and
Auditing, Prentice Hall

24