ISACA issues guide to conducting IT audits

A new report from global IT association ISACA identifies five steps organizations should take to create an effective audit program and reap the benefits of a successful information systems audit.

IT audits help enterprises ensure the secure and reliable operation of the systems that are critical to organizational success. The effectiveness of the audit depends largely on the quality of the audit program, according to a new ISACA report, titled Information Systems Auditing Tools and Techniques: Creating Audit Programs.

According to the guide, the audit process consists of three phases: planning, fieldwork and documentation, and reporting and follow-up. The planning phase consists of five distinct steps.

  1. Determine audit subject.
  2. Define audit objective.
  3. Set audit scope.
  4. Perform pre-audit planning.
  5. Determine audit procedures and steps for data gathering.

"ISACA's new white paper provides audit and assurance professionals with practical guidance on how to develop audit programs from the ground up," said Rosemary M. Amato, CMA, CISA, a director on ISACA's Board, and Director, Deloitte Accountant B.V. "Audit processes are clearly defined by phase with activities clearly described. ISACA's new guide can be leveraged in your organization to add value to the audit function."

Setting the audit scope is critical, according to the white paper, because "the IS auditor will need to understand the IT environment and its components to identify the resources that will be required to conduct a comprehensive evaluation." A clear scope helps the auditor determine the testing points relevant to the audit's objective.

Pre-audit planning includes tasks such as conducting a risk assessment, identifying regulatory compliance requirements and determining the resources that will be needed to perform the audit.

The final planning step—determining audit procedures and steps for data gathering—involves activities such as obtaining departmental policies for review, developing methodology to test and verify controls, and developing test scripts plus criteria to evaluate the test.

Once planning is complete, auditors can move on to the fieldwork and documentation phase (acquiring data, testing controls, issue discovery and validation, documenting results) and the reporting phase (gathering report requirements, drafting the report, issuing the report and follow-up), both of which are described in detail in ISACA's paper.

"Creating Audit Programs" indicates three important success elements: IS auditors should be familiar with standard frameworks, the operating environment of the entity under review, and the audit process used internally.