Information Technology Reference
In-Depth Information
which could be in the form of a project management plan developed using Microsoft Pro-
jects or other similar software.
The audit plan would include timelines and resources to be used during the audit. The plan
would normally be broken down into tasks, and each task would have resources allocated
to it and the duration for completion of the activities.
It is important to secure appointments with the various officers you intend to meet during
the audit in good time. It is quite disappointing for one to go out for an audit and not be
able to find the right people. Not only can this situation disrupt an IS auditor's audit plan
but also requires him to schedule another trip to meet the auditee.
It is recommended that the IS audit team provides sufficient information to the client prior
to the meeting. For example, it would be good to advise the client which areas the IS aud-
itor will be reviewing on each particular day. The full program of the IS auditor's activ-
ities should also be communicated to the client in advance. If the IS auditor has planned
to review the network environment on the first day, communication with the client should
be made in good time so the client is able to have all the necessary information ready and
also facilitate access to various networking devices and IT rooms. In some cases, network
servers might be the responsibility of a different person, and such information needs to be
relied to the appropriate person in good time in order for the second person to prepare for
the audit.
The client might also require to be informed how the IS auditor would like to collect the
evidence or data. If the IS auditor would like to collect data from a firewall monitoring tool
for example, he will need to indicate whether the data should be provided in printed copies
or soft copies. Some enterprises have internal policies which do not allow distribution of
soft copies to third parties. These issues need to be cleared early with the client so that it
does not become a stumbling block during the audit.
It is usually good practice to prepare questionnaires in advance before the IS auditor com-
mences the audit. This gives the IS auditor an assurance that all areas of the audit would be
covered. Well-prepared questionnaires also allow the IS auditor to field further questions
to the client which can be recorded on the questionnaire itself. The questionnaire should
cover all issues relating to the audit objectives. There is usually a tendency during inter-
views to get carried away and ask questions which are outside the scope of the audit. The
IS auditor is required to develop a number of questions for each audit objective which will
enable collection of appropriate evidence to support responses from the client.
In addition to questionnaires, the IS auditor might collect information through walk-
throughs and observation of various activities taking place or confirming existence of
various devices which might have been installed, such as routers, firewalls, and network
switches.
Search WWH ::
Custom Search