09/18/2022
IS AUDIT STANDARD AND GUILDLINES
AUDIT CHARTER: this is a formal document that define internal audit purpose, authority, responsibility, and position within an organization. It is also called terms of reference for internal audit
The IS auditor should understand IS audit Charter, must be conversant with the code of ethics of the charter that gives IS auditor authority and responsibilities to audit Information Assets.
The IS audit charter establishes the roles of information systems audit function. The charter should be approved by highest level of management or by Audit Committee if delegated.
The IS auditor should understand that the risk a business process is carrying is called INHERENT risk, and after when it is mitigated, the remaining risk is call RESIDUAL risk.
The control put in place for a business process is what is call Mitigation
The IS auditor should know that he has final say for the content that enter the IS audit report, hence IS auditor should ensure he has material facts in his finding.
One of the reasons why an auditor should obtain sufficient and appropriate audit evidence is to help in drawing a reasonable conclusion, which included identifying control weaknesses relevant to the scope of the audit, it also help to document and validate them.
The IS auditor should report whatever weakness observed during the audit, even if the issue has been rectified, as IS auditor is obliged to report all the findings.
IS auditor should establish audit objectives and scope at initial stage of audit program. It is a great concern, if audit objectives and scope are not established at initial stage as this could lead to overlook of important business risk, which means the IS auditor may not audit those areas of highest risk to the organization. An appropriate audit objectives and scope will lead to an appropriate risk assessment.
IS auditor should first identify and rank Information Assets before performing any Risk Assessment, by identifying and ranking information assets, the auditor will be able to the location of the assets, the criticality of the assets and the sensitivity of the assets and these will set the tone of scope of how to assess the inherent risk.
An IS auditor may be former personnel of another unit within the same organization and may be transferred to IS audit unit, such IS personnel should be able to detach self from existing relationship. Independence should be the watch word of IS auditor and it should be continually assessed by the auditor and the management.
When an IS auditor is assigned to audit a process, the auditor should first understand the application the business is using to process business transactions, thereafter, understand the nature and criticality of the business processes in order to identify the specific controls required.
IS auditor should be able to identify vulnerabilities in a system which is cause by lack of adequate control in the business process. Lack of adequate control represent vulnerability that expose sensitive information assets to malicious damage, attack, or unauthorized access by hackers, which will lead to financial loss, legal penalties, or other loss. Imagine if your e-commerce website is defaced because of the inadequate control caused by vulnerabilities.
IS auditor should understand all IS audit reports must be backed by sufficient and appropriate audit evidence as a standard of performance in which findings and recommendation can be validated.
An IS auditor should observe the independence of his professional conduct, should never involve in the recommendation of any vendor, where an auditor recommends a vendor, his professional independence is compromised.
Most often when an organization is to start a project, auditor often call in to participate in order to under the process and be able to appraise the control put in place, however, the auditor should not implement any specific functionality during the development of the project as this may impaired the independence of the auditor. The independence of the auditor may be impaired if an IS auditor actively involved int the development, acquisition, and implementation of the project.
Sometimes, unknowingly, an IS auditor may contravene ISACA Code of Ethics, if auditor involved in the design of controls of any audit process, conflict of interest arise in the neutrality of the auditor to address any arising deficiencies on these controls that IS auditor is involved.
IS auditor should maintain the audit independence and conflicts of interest. If IS auditor find out that the system in the scope of audit is implemented by closed colleagues that can affect the audit decision making, the auditor should disclose to the audit management or the client, it is called total disclosure, as the participation of IS auditor in such an audit process can impaired the auditor independence.
Furthermore, if an IS auditor has been a system developer or a programmer, and now find himself in IS audit unit, such a system developer now an IS auditor should excuse from the audit of any program or system this employee helped to develop or participate, otherwise it will be termed as self-auditing.
One of the task of an IS auditor is to review new process or existing process through system logs, most of the business processes the IS auditor may not have come across or understand; the best approach is to walk-through the process by reading the manual of operations, makes enquiry, observation, inspection of relevant documentation and reperformance of controls. These will give-in thorough understanding of the overall process and identify potential control weakness.
An IS auditor should know that no matter how experience the auditor may be, the professional standard is for the supervisor or the audit manager is to review the audit paper. It is a professional standard by ISACA, Institute of Internal Auditor and the International Federation of Accountant that require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency, and documentation requirement.
