Online Courses
IS Auditing, Controls and Assurance
Online Courses
IS Auditing, Controls and Assurance
  • Information Systems Auditing, Controls and Assurance
  • Introduction to Information Systems (IS) Auditing
    • Risk in Information Systems (IS)
    • Risk Management Process
    • Identify Internal Controls
    • Quiz
  • General IS Audit Procedures
    • Understant the audit areas/subjects
    • Compliance Testing and Substantive Testing
    • Practice Quiz
    • Evidence
    • ISACA Outlines Five Steps to Planning an Effective IS Audit Program
    • Quiz
  • Business Application Development and the Roles of IS Auditors
    • What is business application development process / Systems Development Life Cycle (SDLC)?
      • SDLC Models
    • Feasibility and Requirements
    • Design and Selection
    • Development and Configuration
    • Configuration - Input/Output Controls
    • Implementation
    • Post-Implementation Review
    • Risks Associate with Application Development
    • Role of IS Auditor in SDLC
    • Quiz
  • IS Maintenance and Control
    • IS Maintenance Practices
    • Change Management
    • Documentation
    • Emergency Changes
    • IS Controls
    • Quiz
Powered by GitBook
On this page
  1. General IS Audit Procedures

ISACA Outlines Five Steps to Planning an Effective IS Audit Program

ISACA Outlines Five Steps to Planning an Effective IS Audit Program (Source: ISACA)

PreviousEvidenceNextQuiz

Last updated 9 months ago

Rolling Meadows, IL, USA (31 March 2016) - A new report from global IT association ISACA identifies five steps organizations should take to create an effective audit program and reap the benefits of a successful information systems (IS) audit.

IS audits help enterprises ensure the effective, efficient, secure and reliable operation of the information technology that is critical to organizational success. The effectiveness of the audit depends largely on the quality of the audit program, according to a new ISACA white paper, titled .

According to the guide, the audit process consists of three phases: planning, fieldwork/documentation and reporting/follow-up. The planning phase consists of five key steps.

  1. Determine audit subject.

  2. Define audit objective.

  3. Set audit scope.

  4. Perform pre-audit planning.

  5. Determine audit procedures and steps for data gathering.

“ISACA’s new white paper provides audit and assurance professionals with practical guidance on how to develop audit programs from the ground up,” said Rosemary M. Amato, CMA, CISA, a director on ISACA’s Board, and Director, Deloitte Accountant B.V. “Audit processes are clearly defined by phase with activities clearly described. ISACA’s new guide can be leveraged in your organization to add value to the audit function.”

Setting the audit scope is critical, according to the white paper, because “the IS auditor will need to understand the IT environment and its components to identify the resources that will be required to conduct a comprehensive evaluation.” A clear scope helps the auditor determine the testing points relevant to the audit’s objective.

Pre-audit planning includes tasks such as conducting a risk assessment, identifying regulatory compliance requirements and determining the resources that will be needed to perform the audit.

The final planning step - determining audit procedures and steps for data gathering - involves activities such as obtaining departmental policies for review, developing methodology to test and verify controls, and developing test scripts plus criteria to evaluate the test.

Once planning is complete, auditors can move on to the fieldwork and documentation phase (acquiring data, testing controls, issue discovery and validation, documenting results) and the reporting phase (gathering report requirements, drafting the report, issuing the report and follow-up), both of which are described in detail in ISACA’s paper.

“Creating Audit Programs” indicates three key success elements: IS auditors should be familiar with standard frameworks, the operating environment of the entity under review and the audit process used internally.

Information Systems Auditing Tools and Techniques: Creating Audit Programs