Information Technology Reference
In-Depth Information
plication system may also be required for review. IT operations procedures are included in
the IT operations manual. This document can be found with the IT director or manager.
Before the IS auditor commences the audit assignment, one important document required
is the audit charter. The document outlines the organisations' audit statement or policy. All
audits to be conducted in the enterprise should be guided by the audit charter. This docu-
ment is normally found with the audit director or any member of senior management. The
audit charter will have a section on IS audit. In some enterprises, you might find an IS audit
charter as a separate document but linked to the main audit charter. In addition to the IS
audit charter, the IS auditor may be given an engagement letter which will outline audit ob-
jectives and expectations which are specific to the area or system to be audited.
The IT department is a good area to start the IS audit from as it gives the IS auditor a first-
hand impression of the level of IT controls in the enterprise. Documents required when
reviewing the IT organisation in the enterprise include the organisation structure, job de-
scriptions, authority levels, user rights, segregation of duties, and section roles within the
IT department.
The IS auditor may also collect additional information on available controls in the systems
in use. Usually the IS auditor will find documented IT controls which are either in hard
copy, soft copy, or embedded in the systems. The IS auditor should be on the lookout for
undocumented controls, which sometimes do exist where old systems are in use or new
systems which were not properly implemented. In such a case, the IS auditor may decide
to conduct a preliminary interview with IT management in order to establish the existence
of undocumented IT controls.
There are many other documents not mentioned here which the IS auditor may be required
to collect and review during the planning and IT environment review stages. The guide
would be the engagement letter provided by the client.
The planning and understanding the client's IT environment stages help in ensuring that
the IS auditor has a clear picture of what is required during an audit engagement. These are
key stages which should not be skipped or ignored. There is always a tendency by new IS
audit practitioners to go straight into performing the audit, which often results into disas-
trous outcomes.
Performing the Audit
This is the stage when the actual audit is performed by the IS auditor using various tools.
This comes after the planning, IT and the business environment assessment stages have
been successfully concluded and a go-ahead has been given to start the audit. The IS aud-
itor would start by making interview appointments with the relevant officers, such as the
IT director, IT manager, line managers, data and systems owners. It is advisable or good
Search WWH ::
Custom Search