Organization of the is audit function - Isaca

INTRODUCTION

The role of the information systems (IS) audit function should be established by an audit charter. IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit functions. This charter should state clearly management's responsibility and objectives for, and delegation of authority to, the IS audit function. This document should outline the overall authority, scope and responsibilities of the audit function. The highest level of management and the audit committee, if available, should approve this charter. Once established, this charter should be changed only if the change can be and is thoroughly justified.

IS AUDIT RESOURCE MANAGEMENT

IS auditors are a limited resource and information systems technology is constantly changing. Therefore, it is important that IS auditors maintain their competency through updates of existing skills as well as obtain training directed towards new audit techniques and technological areas. Specifically, the IS auditor should understand techniques for managing audit projects with appropriately trained members of the audit staff. Skill and knowledge should be taken into consideration when planning audits and assigning staff to specific audit assignments.

Preferably, a detailed staff training plan should be drawn for the year based on the organization's direction in terms of technology and related risk issues that need to be addressed. This should be reviewed semi annually to ensure that the training needs are aligned to the direction that the audit organization should take. Additionally, IS audit management should also provide the necessary IT resources needed to properly perform IS audits of a highly specialized nature (e.g., scanners for network intrusion tests.)

AUDIT PLANNING

Audit planning consists of both short- and long-term planning. Short-term planning takes into account audit issues that will be covered during the year, whereas long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organizations IT strategic direction that will affect the organization's IT environment.

Analysis of both short- and long-term issues should occur at least annually. This is necessary to take into account new control issues, changing technologies and enhanced evaluation techniques. The results of this analysis for planning future audit activities should be reviewed and approved by senior management and by the audit committee, if available, and communicated to relevant levels of management.

In addition to overall annual planning, each individual audit assignment must be adequately planned. The IS auditor should understand that other considerations, such as risk assessment by management, regulatory requirements and other matters, may impact the overall approach to the audit. The IS auditor should also take into consideration system implementation/upgrade deadlines, current and future technologies, and IS resource limitations.

When planning an audit, the IS auditor must have an understanding of the overall environment under review. This should include a general understanding of the various business practices and functions relating to the audit subject, as well as the types of information systems supporting the activity. For example, the IS auditor should be familiar with the regulatory environment in which the business operates.

24

2004 CISA Review Manual

Audit Process

To perform an audit planning, the IS auditor should:

1. Gain an understanding of the business purpose, objective, processes and technology.

2. Perform a risk analysis.

3. Conduct an internal control review.

4. Set the audit scope and objective.

5. Develop the audit approach or audit strategy.

Steps an IS auditor could take to gain an understanding of the business include: Touring key organization facilities

Reading background material including industry publications, annual reports and independent financial analysis reports Reviewing long-term strategic plans Interviewing key managers to understand business issues Reviewing prior reports

Another basic component of planning is the matching of available audit resources to the tasks as defined in the audit plan. The IS auditor who prepares the plan should consider the requirements of the audit project, staffing resources and other constraints. This matching exercise should consider the needs of individual audit projects as well as the overall needs of the audit department.

LAWS AND REGULATIONS EFFECT ON IS AUDIT PLANNING

Each organization, regardless of its size or the industry within which it operates, will need to comply with a number of governmental and external requirements related to computer system practices and controls and to the manner in which computers, programs and data are used.

Special attention should be given to these issues in those industries that historically have been closely regulated. For example, the banking industry worldwide has severe penalties for companies and their officers should the company not be able to provide an adequate level of service because of substandard backup and recovery procedures. Also, Internet service providers are subject, in several countries, to specific laws regarding confidentiality and service availability.

Several countries, because of the growing dependencies upon information systems and related technology, are making efforts to establish added layers of regulatory requirements concerning IS audit. The contents of these regulations regard:

• Establishment

• Organization

• Responsibilities

• Correlation to financial, operational and IT audit functions

Management personnel, at all levels, should be aware of the external requirements relevant to the goals and plans of the organization and to the responsibilities and activities of the information services department/function/activity.

Listed below are steps an information systems control auditor would perform to determine an organization's

...