Information Technology Reference
In-Depth Information
Whilst questionnaires may be good tools which can be used to collect data, it is recommen-
ded that IS auditors consider making use of other tools, such as observing systems at work,
analysing data captured from live systems, or comparing performance of similar systems.
Understanding the IT Environment
As part of planning activities, it is important that the auditor has a good understanding of
the enterprise to be audited. The IS auditor should understand the nature of the client's busi-
ness and operations before setting out to develop the audit program. The IS audit team may
not perform a good audit if they are not familiar with the client's business and IT envir-
onment. This requirement applies to both internal and external IS auditors. It is easier for
internal IS auditors to have access to enterprise information than external auditors. Extra
effort need to be applied for external auditors to collect all the required information. Often
you will find a situation where the client may not be willing to provide all requested in-
formation for various reasons.
Key information an IS auditor would be looking for is the business strategy of the organ-
isation. The strategy would outline what the business intends to do or is doing to achieve its
overall goals. The client would provide this information through a business strategy doc-
ument approved by the board. It is likely that the CEO or any member of senior manage-
ment would have a copy of the strategy document. In the business strategy document, the
IS auditor will find the IT strategy of the enterprise. In some enterprises, the IT strategy
could be a separate document (separated for easy access). The IT strategy outlines how the
enterprise is using IT to deliver on promise or provide IT services.
Additional information an IS auditor would need during this stage are supporting IT
policies and procedures. The IS auditor should have a clear understanding of the IT polices
in place so that he is aware of how IT operates and is used in the enterprise. The IS auditor
will be expected to use IT policies to assess IT compliance and operations.
A key document required during the audit is the business process document. This could be
a separate document, or the processes could be described as part of procedures in a pro-
cedures document. The document will outline all the business processes which are used
to carry out business operations. Business processes are normally expressed as procedures
(manual or automated). In a highly automated environment, most of these processes would
be configured as processes in an application system. The IS auditor may be required to re-
view the business processes so that he has a good understanding of business operations.
The IS auditor may also be required to look at the financial regulations obtained in the en-
terprise especially if the audit will involve reviewing the accounting application system. IT
operational procedures covering the enterprise resource planning (ERP) or any other ap-
Search WWH ::
Custom Search