Information Technology Reference
In-Depth Information
clearly understand the audit objectives as prescribed by the client and also perform the audit
more effectively.
ISACA has developed standards and guidelines which can be used when reviewing the cli-
ent's environment such as 1201 and 1202 standards. These standards require that during
planning, the IS auditors take into consideration the requirement to have a good under-
standing of the enterprise. It is important that the IS audit team develops a good under-
standing of the client's business strategies, operations, and risks. This will help the IS audit
team have a good understanding of the enterprise and focus the audit in the areas of high
risk.
A good starting point would be to review the client's business environment. The IS audit
team might consider reviewing the entire business environment or a specific area. Where
the engagement is focused on auditing an application system, which does not concern the
whole enterprise, the audit team might choose to review the business environment only re-
lated to the focus area. Where an IS audit team is reviewing an end to end ERP system,
reviewing the entire business environment might be the preferred option. Information to be
collected during the review of the business environment might include previous audit re-
ports by internal and external auditors. Other internal reports would also be a good source
of information. The IS audit team might also collect business strategy documents, busi-
ness processes documentation, organisational policies, financial reports, risk management
reports, performance reports, and any other business reports the audit team might find use-
ful.
After obtaining a good understanding of the general business environment, the audit team
will be in a position to review the IT environment. Remember that the purpose of the IT
function is to support the enterprise and not the other way round. Depending on the audit
objectives, the focus might be on a particular area or the entire IT environment. The selec-
tion of a focus area will depend on the type of system being audited. If the system affects
the entire enterprise, the audit might cover the entire business environment. Where the sys-
tem is specific to a particular department or area, the audit might focus on specific areas.
The IS audit team is required to review and understand the IT environment by first review-
ing the internal IT organisation. The review would include the IT organisation structure,
segregation of duties, and IT operations. The IS audit team might also be required to re-
view documentation such as IT strategy document, IT policy document, IT standards, and
IT procedures used in the enterprise. These documents will enable the IS audit team to de-
velop a good understanding of the IT environment.
The IS audit team might also consider reviewing partnerships and alliances with outside
enterprises who are suppliers of various IT services to the enterprise. Such suppliers might
have service-level agreements with the enterprise which may also entail having access to
the enterprise IT infrastructure.
Search WWH ::
Custom Search