If an enterprise is to be effective in meeting its objective and accomplishing its mission, it is important to identify key success factors. What are those goals where achievement is essential to the overall success of the enterprise? IS audits help enterprises ensure the effective, efficient, secure and reliable operation of the information technology that is critical to an enterprise’s success.

The effectiveness of the audit depends largely on the quality of the audit program, according to an ISACA white paper titled Information Systems Auditing Tools and Techniques: Creating Audit Programs.

According to the guide, the audit process consists of 3 phases: planning, fieldwork/documentation, and reporting/follow-up. The planning phase consists of 5 key steps.

  • Determine audit subject.
  • Define audit objective.
  • Set audit scope.
  • Perform pre-audit planning.
  • Determine audit procedures and steps for data gathering.

Once the planning phase is complete it is time to begin the audit. Because audit programs are a key tool in this process, ISACA has started simplifying and reformatting its audit programs to make them more user-friendly. While these programs are simplified for ease of use, each control can be traced back to a COBIT 5 process that provides more detail, which may be helpful during an audit engagement.
Recently, the following 4 audit programs were simplified/reformatted and published on ISACA’s web site: Bring Your own Device (BYOD), Cloud Computing, IT Risk Management and Change Management. Traditionally, the audit programs have been in Microsoft Word, and while the content has not changed very much the newly formatted audit programs are now in Microsoft Excel. So instead of continuous scrolling down to locate a particular process, each has its own worksheet and has been clearly labelled.

The first worksheet of each audit program has instructions on how to use each of the 13 columns. Eight columns allow the audit professional to insert information that may be helpful during the review of the audit. Typically at the end of an audit there is a review process; these 8 columns allow the auditor to include information that may be helpful during the review process. Among them is the ref. risk column, which allows the auditor to identify the specific risk(s) associated with the control being assessed.

Three columns regarding information about the control under review have been added: control type, control class, and control frequency. Having this information gives the auditor and reviewer more information to assess whether it is operating effectively and efficiently. The remaining 4 columns are ref. frameworks and standards, which allow the auditor to enter references to any frameworks and/or standards the enterprise uses or is required to comply with. The ref. work paper allows the auditor to identify supporting documentation.

The pass/fail column is a place for the auditor to specify whether the overall control passed or failed based on the testing performed, and the comments column is there for the auditor to document any notes that may be helpful during subsequent review of the information.

Performing an audit can be a daunting task especially for a new auditor. By the same token, performing the customary review of an audit can be challenging when one has not been intimately involved in the process. These simplified audit programs, along with the ISACA white paper titled Information Systems Auditing Tools and Techniques: Creating Audit Programs, provide the audit professional with both the knowledge and the tools that will facilitate the process from beginning to end.

(About the author: Paul Phillips is a technical research manager with the ISACA. This post originally appeared on his ISACA blog, which can be viewed here)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access