Information Technology Reference
In-Depth Information
sources are protected. In some cases, laws may be updated to reflect current requirements.
Enterprises also come up with internal policies and procedures which auditors might be re-
quired to follow. Professional associations such as ISACA or IIA, on the other hand, also
develop auditing standards which auditors are required to follow. IS auditors are required
to be current with applicable laws and professional standards. One of the requirements to
be certified as an IS auditor by ISACA is acceptance to observe standards, association by-
laws, and to be professional in approach to work.
During the planning stage, it is recommended that the IS auditor uses a risk-based approach
where necessary. The auditor would be guided by the enterprise risk profile or any risk
assessments which were performed in the recent past. Time allowing, the IS auditor can
perform an independent risk assessment in order to validate some information in the risk
reports. A review of the various risk reports and a discussion with the risk manager or any
member of staff with enterprise risk management responsibilities would suffice.
It is always advisable that IS auditors address engagement-specific issues when conducting
an audit. Digressing from the provided audit objectives would not only cause the audit to
take longer but be in conflict with expectations of the client. The IS auditor also runs the
risk of having the deliverables being rejected because they have included issues outside the
scope of the engagement.
IS auditors during the planning stage also should be clear as to what documentation and re-
porting is required. This information would be included in the engagement letter and should
also be verified with the client before the audit starts. Where this information is not avail-
able, it is the responsibility of the IS auditor to ensure that this information is made avail-
able by the client.
The 1201.2 information system audit standard requires that the audit team should develop
and document an IS audit or assurance engagement project plan. The IS audit plan can eas-
ily be developed using project management software such as Microsoft Projects. The pro-
ject software would enable the IS auditor to indicate the tasks, schedule, and resources to
be used on the engagement.
IS auditors should take particular interest regarding the nature of the engagement as this
would determine how to approach the work and how to address the audit objectives. Audits
which involve compliance with the enterprise IT policies and procedures may not require
use of special software to perform the audit. Although at the higher end, compliance work
may require the IS auditor to hold interviews with the board or senior management which
could require good skills and approach as he deals with senior executives. So the nature of
the engagement might demand for certain types of audit skills and procedures to conduct
the audit engagement effectively.
Risk Assessment in Planning (1202.1 to 1202.3)
Search WWH ::
Custom Search