At least, it’s turn for the «Performing an IS Audit» part of my CISA Review Manual 2013 study plan. When I started reading this chapter, I was quite anxious; it was like «That’s what you’ve been looking for», and, yes, definitely it was.
What I learnt it’s all about methodology, methodology and methodology.
Components of an Audit methodology are:
- a statement of scope;
- a statement of audit objectives; and
- a statement of audit programs.
Audit methodology is divided in following phases:
Audit Charter: see previous post here;
Audit Objectives, when the auditor and the auditee identify the purpose of the audit. Purposes can be:
- Compliance audits, to demonstrate adherence to specific regulatory or industry standards;
- Financial audits;
- Operational audits, to evaluate the internal control structures in a given process/area;
- Integrated audits, an audit that combines Financial and Operational audit steps;
- Administrative audits, to assess the efficiency y productivity of a process/unit/area;
- IS Audits;
- Specialized audits.
Audit scope, when specific systems, functions or unit are identified to be included in the audit process;
Preaudit planning: the time when:
- technical skills and resources needed are identified;
- sources of information are selected, like procedures and prior audit work paper are settled;
- facilities and locations are identified.
Audit procedures and steps for data gathering: the time to identify individuals for interviews;
Procedures for evaluating the test results and Procedures for communication with management (both depends on the specific auditee needs);
Audit report preparation: the time to review and evaluate documents, policies and procedures.
Then, many months later…, a good IS Auditor presents Audit documentation to the auditee. How? Well, the answer, maybe, in next posts.