Information Technology Reference
In-Depth Information
The IS auditor might require using software tools to interrogate the client's systems so that
evidence can be collected. The audit team and the client need to agree what software tools
the auditors can use and how connection to the client systems would be made. In some en-
terprise, it is preferred to use offline systems (backup servers) which contain the same data
as the live system.
The 1203.4 ISACA information systems audit standard requires that IS auditors collect
sufficient and relevant information in order to achieve agreed audit objectives. Collecting
evidence is quite a demanding exercise, and sufficient time should be allocated to this activ-
ity.
The 1203.5 information systems audit standard requires the IS auditor to document the en-
tire audit process, and this information will be used to support findings and recommenda-
tions which will be made at the end of the audit. It is also important to document all activ-
ities during the audit as this information is required for future reference and audit records.
In some countries, audit records are required by law to be kept for seven or ten years be-
fore it is destroyed. Clients may also want detailed information to support the IS auditors
conclusions and recommendations. Detailed information can be accessed from the records
kept during the entire audit.
Testing and Evaluation
After performing the audit and collecting necessary evidence, the IS auditor has the task of
testing and evaluating the evidence collected. The testing and evaluation stage can also be
performed during the actual auditing stage. In this topic, the two stages have been separated
so that we can review the two areas in more detail. At the end of the chapter, you will see
the benefits of separating the two stages of performing the audit and carrying out testing
and evaluation of collected evidence.
At this stage, the IS auditor will test or examine the collected evidence in order to find out
whether the design of the controls was properly done and that the controls are effective.
The IS auditor will be using data or evidence collected when performing the audit to test
the controls. Substantive tests can also be performed on data collected from the system in
addition to testing the design of IT controls. Other tests can also be performed depending
on the client's requirements.
The 1203.6 information systems audit standard requires auditors to identify and conclude
on findings. This is done after testing the controls to determine their effectiveness. Auditors
can also evaluate IT performance or operations against IT policies, processes, and proced-
ures in order to identify and conclude on findings.
If, for example, the finding is that the risk is high of being hacked after performing a net-
work infrastructure audit due to some vulnerabilities, the IS auditor might consider carry-
Search WWH ::
Custom Search