• Develop and implement a risk based IS audit strategy for the organization in compliance with
IS audit standards, guidelines and best practices
• Plan specific audits to ensure that IT and business systems are protected and controlled
• Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives
• Communicate emerging issues, potential risks and audit results to key stakeholders
• Advise on the implementation of risk management and control practices within the organization while maintaining independence
• IS ISACA Auditing Standards,
Guidelines and Procedures and Code of Professional
Ethics
• IS auditing practices and techniques
• Techniques to gather information and preserve evidence (e.g. observation, inquiry, interview, computerassisted audit techniques
(CAATs), electronic media)
• The evidence life cycle (e.g., the collection, protection, chain of custody)
• Control objectives and control related to IS (e.g., COBIT)
• Risk assessment in an audit context
• Audit planning and management techniques
• Reporting and communication techniques (e.g. facilitation, negotiation, conflict resolution)
• Control self assessment
(CSA)
• Continuous audit techniques
• The role of the IS audit function should be established by an audit charter.
• IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit function
• This charter should state clearly management's responsibility and objectives for, and delegation of authority to, the IS audit function
• This document should outline the overall authority, scope and responsibilities of the audit function
• The highest level of management and the audit committee, if available, should approve this charter.
Once established, this charter should be changed only if the change can be and is thoroughly justifies
• Detail of Audit Charter
• Mandate
• Content
• Communication
• Service Level Agreements
• Should be detailed enough to communicate
– Purpose
– Responsibility
– Authority and accountability
– Limitations of the audit function or audit assgnment
• Should be prpared for ongoing activities
• The audit charter should be subject to an annual review or more often if the responsibilities are varied or changed
• The IS auditor should have a clear mandate to perform the IS audit function
• This mandate is ordinarily documented in an audit charter that should be formally accepted
• Where an audit charter exists for the audit function as a whole, wherever possible the IS audit mandate should be incoporated
• Responsibility
• Authority
• Accountability
• Mission statement
• Aims/goals
• Scope
• Objectives
• Independence
• Relationship with external audit
• Auditee requirements
• Critical success factors
• Key performance indicators
• Other measures of performance
• Risk assessment
• Right of access to information, personnel, locations and systems relevant to the performance of audits
• Scope or any limitations of scope
• Functions to be audited
• Auditee expectations
• Organizational structure, including reporting lines to board and senior management
• Grading of IS audit staff
• Responsibility lines to senior management
• Assignment performance appraisals
• Personnel Performace appraisals
• Staffing / career development
• Auditee's rights
• Independent quality reviews
• Assessment of compliance with standards
• Benchmarking performance and functions
• Assessment of completion of the audit plan
• Comparison of budget to actual costs
• Agreed actions; e.g. penalties when either party fails to carry out their responsibilities
• Describing the service, its scope, its availability and timeliness of delivery
• Providing cost estimates or budgets if they are available
• Describing problems and possible resolutions for them
• Providing adequate and readily accessible facilities for effective communication
• Determining the relationship between the service offered and the needs of the auditee
• Availability for unplanned work
• Delivery of reports
• Costs
• REsponse to auditee complaints
• Quality of service
• Review of performance
• Communication with auditees
• Needs assessment
• Control risk self assessment
• Agreement of terms of reference for audits
• Reporting process
• Agreement of finding
• Purpose - Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between external IS Audit and an organization
• Content
• Authority
• Accountability
• Responsibility
• Scope
• Objective
• Independence
• Risk Assessment
• Specific auditee requirement
• Deliverable
• Right of access to information, personnel, locations and systems relevant to the performance of the assignment
• Scope or any limitations of scope
• Evidence of agreement to the terms and conditions of the engagement
• Intended recipients of reports
• Auditees rights
• Quality reviews
• Agreed completion dates
• To the Profession
• To the Auditee (Organisation)
• To the Stakeholders
• Statutory and Regulatory
• To Society
• Rights of IS Auditors
• Limitations
• The IS auditor has the right to have an engagement letter or audit charter specifying the scope, objective and terms of reference of the audit
• The IS auditor has the right to access appropriate information and resources to effectively and efficiently complete the audit
• The IS auditor has the right to believe that management has established appropriate controls to prevent, deter and deter fraud unless the tests and evaluation carried on by the IS auditor prove otherwise
• The IS auditor has the right to call for such information and explanations deemed necessary and appropriate to permit objective completion of the audit
• The IS auditor has the right to retain the working files, documents, audit evidences, etc., obtained during the course of the audit, in support of his/her conclusions and to use the same as the basis of reference in case of any issues or contradictions
• The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be expected to have the expertise of the person whose primary responsibility is detecting and investigating fraud
• The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be expected to have the expertise of the person whose primary responsibility is detecting and investigating fraud
• The IS auditor should be alert to the significant risks that might affect objectives, operations or resources.
However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified
• Where the IS auditor is not able to obtain required information, is restricted from accessing resources or is in any way restrained from carrying out his/her function, the IS auditor should escalate his/her concerns to appropriate senior levels in management. The IS auditor should conduct the audit in a professional manner
• Where the IS auditor has utilized the services of an external expert, the IS auditor should evaluate the usefulness and sufficiency of work performed by such external expert and also perform appropriate testing to confirm the findings of the external expert
• The IS auditor is not responsibility for implementing corrective actions
• Establishment of the regulatory requirements
• Organization of the regulatory requirements
• Responsibilities assigned to the corresponding entities
• Correlation to financial, operational and IT audit functions
• Legal requirements placed on IS audit
• Legal requirements placed on the auditee