Internal auditors looking to get more involved in information systems audits have a new resource to help guide the process, courtesy of ISACA, a global association of professionals focused on IS audit and control.
A new ISACA white paper titled Information Systems Auditing Tools and Techniques: Creating Audit Programs outlines five steps auditors should take to effectively plan an information system audit. The five steps include determining the audit subject, defining the audit objective, setting the audit scope, performing pre-audit planning, and determining procedures and steps for gathering data. The paper provides detailed descriptions of how to carry out each step.
The paper is meant to provide auditors with practical guidance on how to develop information systems audit programs from the ground up, says Rosemary Amato, a director on ISACA’s board and a director with Deloitte. “Audit processes are clearly defined by phase with activities clearly described,” she says. “ISACA’s new guide can be leveraged in your organization to add value to the audit function.”
ISACA says the paper provides a basic understanding of the steps necessary to develop a comprehensive audit program that clearly and consistently documents the procedures to test controls and gather supporting data. It also is meant to help auditors develop audit programs consistent with auditing standards, especially ISACA’s and those of the Public Company Accounting Oversight Board, the Institute of Internal Auditors and the American Institute of Certified Public Accountants. The paper is not meant, however, to provide technical guidance on auditing specific technologies, ISACA says.
The paper is targeted at both IS auditors and non-ISA auditors, ISACA says, although the paper also provides a summary of the minimum skills an auditor would need in order to effective audit IS. Most critical, says ISACA, is “understanding the business environment and related risks to determine what to test and why.” Auditors need an ability to customize audit procedures according to the nature of the subject under review and the specific risk that needs to be addressed.
While the new paper is focused on audit planning, another ISACA paper provides further guidance on fieldwork and documentation to carry out the audit.