At least, it’s turn for the «Performing an IS Audit» part of my CISA Review Manual  2013 study plan. When I started reading this chapter, I was quite anxious; it was like «That’s what you’ve been looking for», and, yes, definitely it was.

What I learnt it’s all about methodologymethodology and methodology.

Components of an Audit methodology are:

  • a statement of scope;
  • a statement of audit objectives; and
  • a statement of audit programs.

Audit methodology is divided in following phases:

Audit Charter: see previous post here;

Audit Objectives, when the auditor and the auditee identify the purpose of the audit. Purposes can be:

  • Compliance audits, to demonstrate adherence to specific regulatory or industry standards;
  • Financial audits;
  • Operational audits, to evaluate the internal control structures in a given process/area;
  • Integrated audits, an audit that combines Financial and Operational audit steps;
  • Administrative audits, to assess the efficiency y productivity of a process/unit/area;
  • IS Audits;
  • Specialized audits.

Audit scope, when specific systems, functions or unit are identified to be included in the audit process;

Preaudit planning: the time when:

  • technical skills and resources needed are identified;
  • sources of information are selected, like procedures and prior audit work paper are settled;
  • facilities and locations are identified.

Audit procedures and steps for data gathering: the time to identify individuals for interviews;

Procedures for evaluating the test results and Procedures for communication with management (both depends on the specific auditee needs);

Audit report preparation: the time to review and evaluate documents, policies and procedures.

Then, many months later…, a good IS Auditor presents Audit documentation to the auditee. How? Well, the answer, maybe, in next posts.