Information Systems Audit Methodology
Contents
1 Introduction
2 Information Systems Audit Methodology
o 2.1 PHASE 1: Audit Planning
o 2.2 PHASE 2 – Risk Assessment and Business Process Analysis
2.2.1 Our Risk Based Information Systems Audit Approach
o 2.3 PHASE 3 – Performance of Audit Work
2.3.1 Control Objectives for Information and related Technology (COBIT)
2.3.2 Application Control Review
2.3.3 The use of Computer Aided Audit Techniques (CAATS) in the
performance of an IS Audit
o 2.4 PHASE 4: Reporting
Introduction
1
�An information system (IS) audit or information technology (IT) audit is an examination of the
controls within an entity's Information technology infrastructure.
These reviews may be performed in conjunction with a financial statement audit, internal audit,
or other form of attestation engagement. It is the process of collecting and evaluating evidence of
an organization's information systems, practices, and operations. Obtained evidence evaluation
can ensure whether the organization's information systems safeguard assets, maintains data
integrity, and are operating effectively and efficiently to achieve the organization's goals or
objectives.
An IS audit is not entirely similar to a financial statement audit. An evaluation of internal
controls may or may not take place in an IS audit. Reliance on internal controls is a unique
characteristic of a financial audit.
An evaluation of internal controls is necessary in a financial audit, in order to allow the auditor to
place reliance on the internal controls, and therefore, substantially reduce the amount of testing
necessary to form an opinion regarding the financial statements of the company.
An IS audit, on the other hand, tends to focus on determining risks that are relevant to
information assets, and in assessing controls in order to reduce or mitigate these risks.
An IT audit may take the form of a "general control review" or a "specific control review".
Regarding the protection of information assets, one purpose of an IS audit is to review and
evaluate an organization's information system's availability, confidentiality, and integrity by
answering the following questions:
2
� 1. Will the organization's computerized systems be available for the business at all times
when required? (Availability)
2. Will the information in the systems be disclosed only to authorize users?
(Confidentiality)
3. Will the information provided by the system always be accurate, reliable, and timely?
(Integrity).
The performance of an IS Audit covers several facets of the financial and organizational
functions of our Clients.
The diagram to the right gives you an overview of the Information Systems Audit flow: From
Financial Statements to the Control Environment and Information Systems Platforms.
Information Systems Audit Methodology
Our methodology has been developed in accordance with International Information Systems
Audit Standards e.g. ISACA Information Systems Audit Standards and Guidelines and the
Sabarne Oxley COSO Standard.
The beginning point of this methodology is to carry out planning activities that are geared
towards integrating a Risk Based Audit Approach to the IS Audit.
PHASE 1: Audit Planning
In this phase we plan the information system coverage to comply with the audit objectives
specified by the Client and ensure compliance to all Laws and Professional Standards.
The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the
management responsibility, authority and accountability of the Information Systems Audit
function as follows:
1. Responsibility: The Audit Charter should define the mission, aims, goals and objectives
of the Information System Audit. At this stage we also define the Key Performance
Indicators and an Audit Evaluation process;
2. Authority: The Audit Charter should clearly specify the Authority assigned to the
Information Systems Auditors with relation to the Risk Assessment work that will be
carried out, right to access the Client’s information, the scope and/or limitations to the
scope, the Client’s functions to be audited and the auditee expectations; and
3
� 3. Accountability: The Audit Charter should clearly define reporting lines, appraisals,
assessment of compliance and agreed actions.
The Audit Charter should be approved and agreed upon by an appropriate level within the
Client’s Organization.
See Template for an Audit Charter/ Engagement Letter here.
In addition to the Audit Charter, we should be able to obtain a written representation (“Letter of
Representation”) from the Client’s Management acknowledging:
1. Their responsibility for the design and implementation of the Internal Control Systems
affecting the IT Systems and processes
2. Their willingness to disclose to the Information Systems Auditor their knowledge of
irregularities and/or illegal acts affecting their organization pertaining to management and
employees with significant roles within the internal audit department.
3. Their willingness to disclose to the IS Auditor the results of any risk assessment that a
material misstatement may have occurred
See a Template for a Letter of Representation here.
PHASE 2 – Risk Assessment and Business Process Analysis
Risk is the possibility of an act or event occurring that would have an adverse effect on the
organization and its information systems. Risk can also be the potential that a given threat will
exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. It is
ordinarily measured by a combination of effect and likelihood of occurrence.
More and more organizations are moving to a risk-based audit approach that can be adapted to
develop and improve the continuous audit process.
This approach is used to assess risk and to assist an IS auditor’s decision to do either compliance
testing or substantive testing.
In a risk based audit approach, IS auditors are not just relying on risk.
They are also relying on internal and operational controls as well as knowledge of the
organization.
4
�This type of risk assessment decision can help relate the cost/benefit analysis of the control to the
known risk, allowing practical choices.
The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in making
decisions such as:
1. The area/business function to be audited
2. The nature, extent and timing of audit procedures
3. The amount of resources to be allocated to an audit
The following types of risks should be considered:
Inherent Risk: Inherent risk is the susceptibility of an audit area to error which could be
material, individually or in combination with other errors, assuming that there were no related
internal controls.
In assessing the inherent risk, the IS auditor should consider both pervasive and detailed IS
controls.
This does not apply to circumstances where the IS auditor’s assignment is related to pervasive IS
controls only.
A pervasive IS Control are general controls which are designed to manage and monitor the IS
environment and which therefore affect all IS-related activities. Some of the pervasive IS
Controls that an auditor may consider include:
The integrity of IS management and IS management experience and knowledge
Changes in IS management
Pressures on IS management which may predispose them to conceal or misstate
information (e.g. large business-critical project over-runs, and hacker activity)
The nature of the organization’s business and systems (e.g., the plans for electronic
commerce, the complexity of the systems, and the lack of integrated systems)
Factors affecting the organization’s industry as a whole (e.g., changes in technology, and
IS staff availability)
5
� The level of third party influence on the control of the systems being audited (e.g.,
because of supply chain integration, outsourced IS processes, joint business ventures, and
direct access by customers)
Findings from and date of previous audits
A detailed IS control is a control over acquisition, implementation, delivery and support of IS
systems and services. The IS auditor should consider, to the level appropriate for the audit area in
question:
The findings from and date of previous audits in this area
The complexity of the systems involved
The level of manual intervention required
The susceptibility to loss or misappropriation of the assets controlled by the system (e.g.,
inventory, and payroll)
The likelihood of activity peaks at certain times in the audit period
Activities outside the day-to-day routine of IS processing (e.g., the use of operating
system utilities to amend data)
The integrity, experience and skills of the management and staff involved in applying the
IS controls
Control Risk: Control risk is the risk that an error which could occur in an audit area, and which
could be material, individually or in combination with other errors, will not be prevented or
detected and corrected on a timely basis by the internal control system.
For example, the control risk associated with manual reviews of computer logs can be high
because activities requiring investigation are often easily missed owing to the volume of logged
information.
The control risk associated with computerized data validation procedures is ordinarily low
because the processes are consistently applied.
The IS auditor should assess the control risk as high unless relevant internal controls are:
Identified
6
� Evaluated as effective
Tested and proved to be operating appropriately
Detection Risk: Detection risk is the risk that the IS auditor’s substantive procedures will not
detect an error which could be material, individually or in combination with other errors. In
determining the level of substantive testing required, the IS auditor should consider both:
The assessment of inherent risk
The conclusion reached on control risk following compliance testing
The higher the assessment of inherent and control risk the more audit evidence the IS auditor
should normally obtain from the performance of substantive audit procedures.
Our Risk Based Information Systems Audit Approach
7
�A risk based approach to an Information Systems Audit will enable us to develop an overall and
effective IS Audit plan which will consider all the potential weaknesses and /or absence of
Controls and determine whether this could lead to a significant deficiency or material weakness.
In order to perform an effective Risk Assessment, we will need to understand the Client’s
Business Environment and Operations.
Usually the first phase in carrying out a Risk Based IS Audit is to obtain an understanding of the
Audit Universe. In understanding the Audit Universe we perform the following:
Identify areas where the risk is unacceptably high
Identify critical control systems that address high inherent risks
Assess the uncertainty that exists in relation to the critical control systems
In carrying out the Business Process Analysis we:
Obtain an understanding of the Client Business Processes
Map the Internal Control Environment
Identify areas of Control Weaknesses
The Chat to the right summarizes the business process analysis phase.
The template xxx will provide you with a guideline to document an Organizations Business Sub
Processes identified during the risk analysis phase.
For each of the sub-processes, we identify a list of What Could Go Wrong (WCGW). This
WCGW represent the threat existing on a particular process. A single process would have
multiple WCGW’s. For each of the WCGW’s identified in the prior phase we will determine the
Key Activities within that process. For each Key Activity:
1. We will identify the Information Systems Controls
2. For each of the Controls Identified, we would rate the impact/effect of the lack of that
control (on a rating of 1 - 5, with 5 indicating the highest impact), we will then determine
the likelyhood of the threat occuring (also on a rating of 1 - 5 with 5 representing the
highest likelyhood).
<< Outline specific risk assessment methodology here>>
8
�PHASE 3 – Performance of Audit Work
In the performance of Audit Work the Information Systems Audit Standards require us t o
provide supervision, gather audit evidence and document our audit work. We achieve this
objective through:
Establishing an Internal Review Process where the work of one person is reviewed by
another, preferably a more senior person.
We obtain sufficient, reliable and relevant evidence to be obtained through Inspection,
Observation, Inquiry, Confirmation and recomputation of calculations
We document our work by describing audit work done and audit evidence gathered to
support the auditors’ findings.
9
�Based on our risk assessment and upon the identification of the risky areas, we move ahead to
develop an Audit Plan and Audit Program. The Audit Plan will detail the nature, objectives,
timing and the extent of the resources required in the audit.
See Template for a Sample Audit Plan.
Based on the compliance testing carried out in the prior phase, we develop an audit program
detailing the nature, timing and extent of the audit procedures. In the Audit Plan various Control
Tests and Reviews can be done. They are sub-divided into:
1. General/ Pervasive Controls
2. Specific Controls
The Chat below to the left shows the Control Review Tests that can be performed in the two
Control Tests above.
Control Objectives for Information and related Technology (COBIT)
The Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information (IT) management created by the Information Systems
Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992.
COBIT provides managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices to assist them in maximizing the benefits derived through
the use of information technology and developing appropriate IT governance and control in a
company.
10
�COBIT helps meet the multiple needs of management by bridging the gaps between business
risks, control needs and technical issues.
It provides a best practices framework for managing IT resources and presents management
control activities in a manageable and logical structure.
11
�This framework will help optimize technology information investments and will provide a
suitable benchmark measure.
The Framework comprises a set of 34 high-level Control Objectives, one for each of the IT
processes listed in the framework.
These are then grouped into four domains: planning and organization, acquisition and
implementation, delivery and support, and monitoring.
This structure covers all aspects of information processing and storage and the technology that
supports it.
By addressing these 34 high-level control objectives, we will ensure that an adequate control
system is provided for the IT environment. A diagrammatic representation of the framework is
shown below.
We shall apply the COBIT framework in planning, executing and reporting the results of the
audit. This will enable us to review the General Controls Associated with IT Governance Issues.
Our review shall cover the following domains;
Planning and organization of information resources;
The planning and acquisition of systems and path in stage growth model of information
systems;
The delivery and support of the IS/IT including facilities, operations, utilization and
access;
Monitoring of the processes surrounding the information systems;
The level of effectiveness, efficiency, confidentiality, integrity, availability, compliance
and reliability associated with the information held in; and
The level of utilization of IT resources available within the environment of the IS
including people, the application systems of interface, technology, facilities and data.
The above control objectives will be matched with the business control objectives to apply
specific audit procedures that will provide information on the controls built in the application,
indicating areas of improvement that we need to focus on achieving.
Application Control Review
12
�An Application Control Review will provide management with reasonable assurance that
transactions are processed as intended and the information from the system is accurate, complete
and timely. An Application Controls review will check whether:
Controls effectiveness and efficiency
Applications Security
Whether the application performs as expected
A Review of the Application Controls will cover an evaluation of a transaction life cycle from
Data origination, preparation, input, transmission, processing and output as follows:
1. Data Origination controls are controls established to prepare and authorize data to be
entered into an application. The evaluation will involve a review of source document
design and storage, User procedures and manuals, Special purpose forms, Transaction ID
codes, Cross reference indices and Alternate documents where applicable. It will also
involve a review of the authorization procedures and separation of duties in the data
capture process.
2. Input preparation controls are controls relating to Transaction numbering, Batch serial
numbering, Processing, Logs analysis and a review of transmittal and turnaround
documents
3. Transmission controls involve batch proofing and balancing, Processing schedules,
Review of Error messages, corrections monitoring and transaction security
4. Processing controls ensure the integrity of the data as it undergoes the processing phase
including Relational Database Controls, Data Storage and Retrieval
5. Output controls procedures involve procedures relating to report distribution,
reconciliation, output error processing, records retention.
The use of Computer Aided Audit Techniques (CAATS) in the performance of an IS Audit
The Information Systems Audit Standards require us that during the course of an audit, the IS
auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives.
The audit findings and conclusions are to be supported by the appropriate analysis and
interpretation of this evidence. CAATs are useful in achieving this objective.
13
�Computer Assisted Audit Techniques (CAATs) are important tools for the IS auditor in
performing audits. They include many types of tools and techniques, such as generalized audit
software, utility software, test data, application software tracing and mapping, and audit expert
systems. For us, our CAATs include ACL Data Analysis Software and the Information Systems
Audit Toolkit (ISAT).
CAATs may be used in performing various audit procedures including:
Tests of details of transactions and balances(Substantive Tests)
Analytical review procedures
Compliance tests of IS general controls
Compliance tests of IS application controls
CAATs may produce a large proportion of the audit evidence developed on IS audits and, as a
result, the IS auditor should carefully plan for and exhibit due professional care in the use of
CAATs.
The major steps to be undertaken by the IS auditor in preparing for the application of the selected
CAATs are:
Set the audit objectives of the CAATs
Determine the accessibility and availability of the organization’s IS facilities,
programs/system and data
Define the procedures to be undertaken (e.g., statistical sampling, recalculation,
confirmation, etc.)
Define output requirements
Determine resource requirements, i.e., personnel, CAATs, processing environment
(organization’s IS facilities or audit IS facilities)
Obtain access to the clients’s IS facilities, programs/system, and data, including file
definitions
Document CAATs to be used, including objectives, high-level flowcharts, and run
instructions
14
� Make appropriate arrangements with the Auditee and ensure that:
1. Data files, such as detailed transaction files are retained and made available before the
onset of the audit.
2. You have obtained sufficient rights to the client’s IS facilities, programs/system, and data
3. Tests have been properly scheduled to minimize the effect on the organization’s
production environment.
4. The effect that changes to the production programs/system have been properly
considered.
See Template here for example tests that you can perform with ACL
PHASE 4: Reporting
Upon the performance of the audit test, the Information Systems Auditor is required to produce
and appropriate report communicating the results of the IS Audit. An IS Audit report should:
1. Identify an organization, intended recipients and any restrictions on circulation
2. State the scope, objectives, period of coverage, nature, timing and the extend of the audit
work
3. State findings, conclusions, recommendations and any reservations, qualifications and
limitations
15
