Information Technology Reference
In-Depth Information
In order to ensure provision of efficient customer services, most enterprises provide online
services and support to its customers. Online procurement of goods and services with min-
imal human contact is common in most enterprises and it is a preferred method as it is more
efficient and reduces on labour costs. The IS auditor should take an interest in how such
services are delivered and how related IT risks are managed.
Other external interfaces which need to be considered during this stage include regulators,
vendors, and consultants. All these external contacts may require access to the enterprise
IT infrastructure. It is imperative that issues of IT controls, security, and privacy are con-
sidered before the audit commences. The IS audit team would be required to review agree-
ments with the suppliers, consultants, and vendors. The IS audit team should consider re-
viewing the existence and content of service-level agreements, if any, between the enter-
prise and its suppliers. Lastly, the IS audit team should also consider reviewing how the
client's business processes are impacted and modified by these various agreements or rela-
tionships.
The 1204.1 information systems audit standard requires auditors to consider potential
weaknesses or lack of controls at the planning stage so that they can determine any sub-
stantial materiality. This information should be considered at the planning stage and would
help indicate what to include in the plan. Where materiality is considered to be high, the
IS audit team might decide to extend the test of controls by conducting substantive testing
procedures, such as using CAATs.
A high level risk assessment during the planning stage may be performed in order to
provide assurance that all areas with high materiality have been included and would be re-
viewed during the audit. The risk assessment should include a review of the enterprise's IT
environment. The IS audit team should also take into consideration inherent risk the organ-
isation is facing.
The IS audit team might consider looking at the risk profile of the enterprise in order to
determine the risk levels. The team should also review other risk documents such as risk
governance, risk policy, and procedures.
At the end of this stage, the IS audit team would have reviewed and obtained a good un-
derstanding of the organisation's environment and also collected sufficient information to
assist in the refining of the audit plan.
Performing the Audit
The next stage after collecting all the necessary information about the enterprise is to per-
form the audit. The IS auditor would also have collected all the necessary tools required on
the audit. Communication with the client and all members of the IS audit team is important
so that everyone is aware of what is expected of them. The key document is the audit plan
Search WWH ::
Custom Search