Information Technology Reference
In-Depth Information
ing out further testing (substantive testing) such as a penetration test in order to test if the
enterprise is secure and all ports not in use on the firewalls and routers are closed.
Another example where further testing is required is when the risk is considered high on
an ERP system for possible inaccurate postings by accounting staff. The IS auditor may
consider carrying out data analytics using CAATs tools, such as ACL, IDEA, or Excel, to
confirm the accuracy of data being captured on the ERP system. A data input walk-through
would be another way of carrying out further tests.
IS auditors can also perform compliance testing against set policies, procedures, and stand-
ards. For example, information security policies can be tested using ISO 27001 security
standard.
IT performance testing is one other common test. The IS auditors would collect evidence
in the form of actual performance results from a system and compare it with planned per-
formance which was set by the management team. The difference in results will enable
auditors to identify possible findings and make recommendations. Of course sometimes it
could be 100 per cent good performance. Performance metrics can also be used to assess
IT performance.
When conducting testing of evidence (1204.3 information systems audit standards), it is
important to consider the overall effect of minor control weaknesses and whether the ab-
sences of controls qualify into a significant material weakness. The overall effect should
be based on a particular audit area. For example, the overall effect of minor control weak-
nesses on a network infrastructure. The result could be high or low material findings.
The 1205.1 information systems audit standard requires that IS auditors obtain sufficient
and relevant evidence to enable them to make appropriate conclusions on which to base
their findings and recommendations. If evidence is limited, it may be difficult for the
IS auditor to make convincing conclusions and recommendations to management. Where
management has a different opinion, it might be challenging for the auditor to justify the
recommendations without sufficient evidence.
The audit team needs to ensure (1205.2 information systems audit standards) that evidence
collected is sufficient to support conclusions and achieve engagement objectives. This
means that conclusions should be based on evidence collected and not otherwise. It is the
role of the IS audit team to ensure a sound evaluation of the evidence collected and using
appropriate evaluation criteria.
Audit findings can be accepted if the assertion made by the auditors is supported by evid-
ence obtained. It is important that audit objectives are clearly understood and agreed at the
beginning of the audit if the client and IS auditor are to achieve and accept expected results
of the audit. Normally disagreements arise if the client and the auditor have different inter-
pretation of the audit objectives.
Search WWH ::




Custom Search