Information Systems Audit: The Planning
How to plan a best IS audit strategy?
As the use of technologies immensely increased in the domains of finance and business, the number of fraudulent activities and data leakage has skyrocketed. As a result, the role of IS audit to verify, validate the controls in such systems to maintain legal compliance has become invaluable.
A typical IS audit process includes the following agendas:
- Creating the audit plan
- Selecting the audit procedures
- Reporting a communicating audit results
The preliminary step of the IS audit is to fulfill the audit charter by planning the audit schedule. The audit schedule determines which audit is to be planned and conducted.
In order to create an audit plan, risk assessment is necessary by including the upcoming plan, past incidents, and portions where management is concerned. At the same time, effective and efficient audit resources should also be planned and finally, scheduling the audit process – when convenient for the business process.
So, audit planning can be summarized as :
- Determine the scope of the audit.
- What is the objective of an audit ?
- Are the sufficient resources allocated to complete the audit process?
- Is auditee and area of audit available to provide the requested support when needed?
- What is the project timeline?
How to fulfill the objective of the IS audit?
Every audit process has a specific defined objective.
It is based on:
- To verify if specific controls are in place.
- To validate the controls are working effectively by properly performing input validation, configuration management, and output.
- How the CIA is maintained- Confidentiality, Integrity, and Availability?
- To ensure legal compliance with the policy and procedures.
- Are staff aware of processes and procedures? Do they have sufficient knowledge and skills?
- Review the documented resources on policy and procedures being followed.
The audit planning should be concerned on:
Audit Risk: The risk the audit can miss something?
Limitation: Unavailability of information, or personnel for the support.
Change in scope: Sometimes, a new priority or change may occur.
Reporting: Clearly articulate whom to report the audit result, who will be responsible for the action. Timely reporting on serious findings that may require immediate action.
Use of external experts: Check for cases when an outside expert is required who have required tools and expertise in the respective field and make sure of NDAs (Non-Disclosure Agreements) to protect the information.
The auditor doesn’t know the subject area.
An unprepared auditor.
Audit Planning Process:
Always seek to understand how the business works:
- Understand the business.
- Evaluate the risk and challenges.
- Review documentation like prior audits, policies & procedures, organization chart, laws, regulations, and standards.
Validate the risk:
- Is the risk assessment up-to-date?
- Is the risk scope aligned with the audit scope?
- Review risk register (What are the known risk ? What is the inherent risk?)
Tips for Better Audit Planning:
- Do not recommend the existing controls or the controls that are being planned.
- Determine existing controls?
- Inquire controls being planned?
- Give credit to those that have been worked on.
- Notify the auditee of schedules, duration, and required support like system access, documentation, personnel, description of work to be performed, and how that will provide value.