Information Systems Auditing

The IS Audit Planning Process

2nd Edition

Robert E. Davis, MBA, CISA, CICA

CraigsPress.com

PO Box 339

Ramona, CA92065

© Copyright 2009 Robert E. Davis, MBA, CISA, CICA. All rights reserved.

No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means without the written permission of the author.

First published by CraigsPress.com on4/3/2009.

Printed in the United States of America.

This book is printed on acid-free paper.

Preface

The global Information Technology (IT) community considers becoming a Certified Information Systems Auditor (CISA) a major accomplishment. To obtain the CISA designation information systems auditors, controls, or security professionals must pass a rigorous test demonstrating knowledge in a multitude of information systems audit process areas. Information Systems Audit and Control Association (ISACA) standards and guidelines, audit risk, and audit objectives are just a few knowledge requirements CISA candidates must master.

Objectives

Information Systems Auditing: The IS Audit Planning Process is part of an electronic booklets series providing comprehensive IS audit planning, study, evaluation, and testing methods. Systemically, the series covers major steps in the IS audit processes not chronicled in ISACA standards and guidelines. In terms of content, these monographs convert selected audit standards into practical applications using detailed examples. These monographs also allow auditors to understand various steps and processes required to adequately initiate, document, and compile IT audit phases. Through these study assistants, a CISA student will acquire an appreciation for IT financial statement, government, and external auditing. Collectively, these monographs function as study guides for CISA examination preparation as well as audit reference manuals.

IS audit area planning mastery reflects professional experience and training. Regarding subject mastery, this booklet contains a detail plan preparation, documentation, and presentation process for IS audits; which can be translated, if practiced, into professional experience. Chronologically, this monograph describes required audit steps performed during an audit area assignment. Specifically, audit objectives, risk, and materiality, are described from an ISA’s perspective, while simultaneously presenting other equivalent audit standards and guidelines. Furthermore, auditor opening conference communication is discussed at this monograph’s conclusion.

Related Material

To enhance certification candidate preparation, Boson Software offers practice tests traversing the ISACA CISA examination domains. These practice tests are excellent knowledge diagnostic and test simulation tools, furnishing a variety of question formats for the purchaser. Lastly, the practice tests are customizable, therefore, allowing selected CISA domain study.

Table of Contents

Introduction...... 6

1.0 Auditors...... 8

1.1 Audit Objectives...... 9

1.2 Business Objectives...... 11

1.3 Organizational Practices...... 14

1.4 Materiality...... 16

1.5 Audit Risk Assessment...... 17

1.6 Internal Control Assessment...... 23

2.0 Audit Plan ...... 28

2.1 Engagement Letter...... 30

3.0 Opening Conference...... 31

Appendix A...... 33

Appendix B...... 34

Acronyms...... 35

Glossary...... 37

Bibliography...... 41

Biography...... 47

Introduction

Planning an Information System (IS) audit can be compared to preparing for a dinner party. Preparations for a dinner party include deciding the type of party, whom to invite, duration, and menu. After contemplating this analogue you will find the following similarities. Type of party equates to audit area being reviewed. Who to invite relates to key organization personnel. Determining duration has the same implications for an audit project and a dinner party. However, an IS audit duration usually is for a longer period of time. In addition, the IS audit menu is what you plan to examine during the audit, not devour (Table 1.1).

Table 1.1 Comparative Dinner Menu - IT Audit Plan

Dinner Menu / IT Audit Plan
Appetizer / Planning
Jumbo Shrimp Cocktail / Risk Assessment
Clam Chowder / Audit Administration
Bread Sticks / Opening Conference
Entrée / Study & Evaluation of Controls
Chicken Cordon Bleu / Transaction A
Potato Au Gratin / Transaction B
Spinach / Transaction C
Beverages / Testing of Internal Controls
Coffee / Compliance Testing
Tea / Transaction A
Soda / Transaction B
Substantive Testing
Transaction C
Dessert / Audit Report
Chocolate Mousse / Closing Conference

An audit plan describes a predetermined audit objective and scope, with sufficient supporting detail, to guide development of an audit program. Audit plans reflect applicable auditing standards and practice statements issued by governing bodies of the audit profession. In particular, the International Federation of Accountants (IFAC) provides financial audit standards and Information Technology (IT) guidelines. Whereas, the American Institute of Certified Public Accountant’s (AICPA’s) Statements of Auditing Standards (SAS) affect financial statements audit plan preparation. Additionally, the Institute of Internal Auditors’ International Standards for the Practice of Internal Auditing is the primary reference source when planning internal audits. Comparatively, the Information Systems Audit and Control Association’s (ISACA’s) IS Standards, Guidelines, and Procedures for Auditing and Control Professionals impact information systems audit plans. Jointly, ISACA’s documented audit methodologies, techniques, and tools provide standards and guidance for planning evaluation of deployed manual and automated processes. Auditors usually plan engagements based on audit objectives, business objectives, organizational practices, materiality, and control risk assessments. Beneficially, following audit plan procedures normally assures adequate coverage of the audit ambit.

After completing the IS audit plan, approval should be obtained by the next higher level of audit management. Once audit department management approves the plan, the auditor distributes an engagement letter to designated personnel. Engagement letter content addresses responsibility, authority and accountability for an audit assignment.

Concluding IS audit planning, the next procedure is to contact selected engagement letter recipients for scheduling an “opening conference.” This conference provides an opportunity to present the audit process, discuss any concerns, and modify audit focus. Thus, conference attendees adjourn with a collective understanding of the audit timetable, availability of departmental resources, as well as an improved audit plan.

1.0 Auditors1, 2

There exists apparent Financial Auditor (FA) and Information Systems Auditor (ISA) responsibility overlaps. One reason this interrelationship exists is because, when planning audits, the FA and ISA evaluate manual as well as automated processing. However, there is a distinguishing feature that is obvious. As most of the professional audit community is aware, a FA fundamentally focuses on financial transactions, whereas, the ISA emphasis is placed on system processing. In addition, the FA’s audit is mandated by assertions presented in financial statements. Though the ISA is concerned about the same assertions, there are other reasons for performing an IS audit. Therefore, the rhetorical question is: What other reasons are there for performing an audit? The answer, an ISA can direct attention towards management’s assertions concerning a particular subject matter or related subject matter. Additionally, an ISA may focus attention to a direct subject matter. These assertions or direct subject matters do not necessarily involve financial statements.

As previously mentioned, the FA and ISA evaluate manual and automated processing. Particular to manual processes, procedures encompass input and output of transactions/cycles/events. While, system procedures reflect computer processing of transactions/cycles/events. Documented transactions should maintain accountability for assets, liabilities, and equity. Coincidentally, documented transactions may represent distinct or combined processing of activities performed by an organization. In combination, logical groupings of related transactions or activities are cycles. Whereby; auditable unit events reflect transactions or activities of a specific duration. Individually, transactions/cycles/events are auditable units.

External or internal auditors can perform IS audits. Assertions and subject matters presented in an organization’s financial statements are primary external auditor concerns. Financial statement assertions represent accounting activities performance declarations. Furthermore, financial statement assertions are based, at least partially, on processing performed by the organization’s information