Download presentation
Presentation is loading. Please wait.
1
IS Audit Function Knowledge
2
Tasks Develop and implement a risk based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices Plan specific audits to ensure that IT and business systems are protected and controlled Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives Communicate emerging issues, potential risks and audit results to key stakeholders Advise on the implementation of risk management and control practices within the organization while maintaining independence
3
Knowledge Risk assessment in an audit context
IS ISACA Auditing Standards, Guidelines and Procedures and Code of Professional Ethics IS auditing practices and techniques Techniques to gather information and preserve evidence (e.g. observation, inquiry, interview, computer-assisted audit techniques (CAATs), electronic media) The evidence life cycle (e.g., the collection, protection, chain of custody) Control objectives and control related to IS (e.g., COBIT) Risk assessment in an audit context Audit planning and management techniques Reporting and communication techniques (e.g. facilitation, negotiation, conflict resolution) Control self assessment (CSA) Continuous audit techniques
4
Organization The role of the IS audit function should be established by an audit charter. IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit function This charter should state clearly management's responsibility and objectives for, and delegation of authority to, the IS audit function This document should outline the overall authority, scope and responsibilities of the audit function The highest level of management and the audit committee, if available, should approve this charter. Once established, this charter should be changed only if the change can be and is thoroughly justifies
5
Audit Charter (G5) Detail of Audit Charter Mandate Content
Communication Service Level Agreements
6
Detail of Audit Charter
Should be detailed enough to communicate Purpose Responsibility Authority and accountability Limitations of the audit function or audit assgnment Should be prpared for ongoing activities The audit charter should be subject to an annual review or more often if the responsibilities are varied or changed
7
Mandate The IS auditor should have a clear mandate to perform the IS audit function This mandate is ordinarily documented in an audit charter that should be formally accepted Where an audit charter exists for the audit function as a whole, wherever possible the IS audit mandate should be incoporated
8
Content Responsibility Authority Accountability
9
Responsibility Mission statement Aims/goals Scope Objectives
Independence Relationship with external audit Auditee requirements Critical success factors Key performance indicators Other measures of performance
10
Authority Risk assessment
Right of access to information, personnel, locations and systems relevant to the performance of audits Scope or any limitations of scope Functions to be audited Auditee expectations Organizational structure, including reporting lines to board and senior management Grading of IS audit staff
11
Accountability Responsibility lines to senior management
Assignment performance appraisals Personnel Performace appraisals Staffing / career development Auditee's rights Independent quality reviews Assessment of compliance with standards Benchmarking performance and functions Assessment of completion of the audit plan Comparison of budget to actual costs Agreed actions; e.g. penalties when either party fails to carry out their responsibilities
12
Communication Describing the service, its scope, its availability and timeliness of delivery Providing cost estimates or budgets if they are available Describing problems and possible resolutions for them Providing adequate and readily accessible facilities for effective communication Determining the relationship between the service offered and the needs of the auditee
13
Service Level Agreements
Availability for unplanned work Delivery of reports Costs REsponse to auditee complaints Quality of service Review of performance Communication with auditees Needs assessment Control risk self assessment Agreement of terms of reference for audits Reporting process Agreement of finding
14
Engagement Letter (G5) Purpose - Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between external IS Audit and an organization Content Authority Accountability
15
Content Responsibility Scope Objective Independence Risk Assessment
Specific auditee requirement Deliverable
16
Authority Right of access to information, personnel, locations and systems relevant to the performance of the assignment Scope or any limitations of scope Evidence of agreement to the terms and conditions of the engagement
17
Accountability Intended recipients of reports Auditees rights
Quality reviews Agreed completion dates
18
Responsibility To the Profession To the Auditee (Organisation)
To the Stakeholders Statutory and Regulatory To Society
19
Authority Rights of IS Auditors Limitations
20
Rights of IS Auditors The IS auditor has the right to have an engagement letter or audit charter specifying the scope, objective and terms of reference of the audit The IS auditor has the right to access appropriate information and resources to effectively and efficiently complete the audit The IS auditor has the right to believe that management has established appropriate controls to prevent, deter and deter fraud unless the tests and evaluation carried on by the IS auditor prove otherwise The IS auditor has the right to call for such information and explanations deemed necessary and appropriate to permit objective completion of the audit The IS auditor has the right to retain the working files, documents, audit evidences, etc., obtained during the course of the audit, in support of his/her conclusions and to use the same as the basis of reference in case of any issues or contradictions
21
Limitations The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be expected to have the expertise of the person whose primary responsibility is detecting and investigating fraud The IS auditor should be alert to the significant risks that might affect objectives, operations or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified
22
Limitations Where the IS auditor is not able to obtain required information, is restricted from accessing resources or is in any way restrained from carrying out his/her function, the IS auditor should escalate his/her concerns to appropriate senior levels in management. The IS auditor should conduct the audit in a professional manner Where the IS auditor has utilized the services of an external expert, the IS auditor should evaluate the usefulness and sufficiency of work performed by such external expert and also perform appropriate testing to confirm the findings of the external expert The IS auditor is not responsibility for implementing corrective actions
23
Accountability Professional Accountability Professional Negligence
Restrictions
24
Effect of laws and Regulation on IS Audit Planning
Establishment of the regulatory requirements Organization of the regulatory requirements Responsibilities assigned to the corresponding entities Correlation to financial, operational and IT audit functions
25
Major Concern Legal requirements placed on IS audit
Legal requirements placed on the auditee
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.