Information Technology Reference
In-Depth Information
staff is key to maintaining the requirements of this standard. During planning, the audit
team shall ensure that appropriate supervisory controls are built in the audit program.
The 1203.3 information systems audit standard extends the earlier standard by requiring
that the IS audit team ensure that staff with appropriate knowledge and skills are used on
the engagement. The standard does allow the use of audit staff that might not have the re-
quired skills to work on the engagement under supervision. This is common in most audit
functions due to unavailability of skilled staff and also the deterring factor of high salaries
demanded by experienced auditors.
Materiality (1204.1)
The 1204.1 information systems audit standard requires that IS auditors consider, at the
planning stage of the engagement, potential weaknesses or absences of IT controls that
could result in a significant deficiency or a material weakness. The use of IT general con-
trols audit is one method which can be used to assess absence or weaknesses in IT controls.
ITGC will give a high-level overview of the level of IT controls in the enterprise or partic-
ular subject area being audited.
The IS audit team might decide that before they perform any other audit, they should con-
sider performing an ITGC audit. This activity may be incorporated in the audit plan and
performed at the early stage of the audit. If the ITGC audit results into an assessment which
indicates significant deficiency or a material weakness, the audit team may decide to halt
the audit and advise the client.
Using the Work of Other Experts (1206.1 to 1206.2)
The IS audit team should assess and decide during the planning stage (1206.1 information
systems audit standard) whether the team requires the use of other experts in performing
the engagement. It is important that the audit team makes a careful consideration as using
other experts will increase the value of the audit as other experts will be able to provide
high-level skills which are not available on the team. Other experts would include, for ex-
ample, data analysts, computer forensic specialists, database specialists, SAP application
system experts, network specialists, and firewall security professionals.
The 1206.2 information systems audit standard requires that the IS audit team should en-
sure that the other experts to be used on the engagement have the skills to perform the sup-
port audit. The other experts will be bringing to the audit team skills which the other team
members do not have. It would defeat the sound objective and approach of the IS audit
team if inexperienced and unqualified experts were used on the engagement.
In a case where the IS audit team has an engagement of auditing databases in the enterprise
which store data used by the core application system, the IS audit team might require spe-
cial database skills to perform the audit. The engagement letter might require the IS audit
team to perform a more detailed audit, such as testing Oracle database alerts and triggers,
Search WWH ::
Custom Search