From information systems point of view an audit is a formal examination of information systems to determine whether these information systems:
- Comply with the applicable laws, regulations and industry guidelines.
- Comply with the governance criteria, policies and procedures.
- Have proper levels of confidentiality, integrity and availability.
- Perform information systems operations efficiently.
- Fulfill the Effectiveness targets.
Whether it is a financial audit, an information security audit or a system audit, the three important phases of any audit program are - PLANNING, DOCUMENTATION & REPORTING.
This article outlines the first phase of an audit - Planning.
This is the first and most essential phase in the audit process, in which the entire audit program is established and all the elements required to carry out and perform an audit are enumerated. The audit steps executed in this phase are as follows.
- Determine the audit subject: In this step, all the key areas that are to be audited are identified and documented.
- Define the audit objective: This stage defines the audit's purpose. It could be a quarterly audit, a financial audit, an IS audit, or it could be done for regulatory or contractual reasons. This phase entails defining why the audit is being performed.
- Set the audit Scope: This is the most significant step in the planning phase, since the audit committee must identify the system, business processes, services, or units to be audited. Setting the audit scope allows the audit team to better grasp the nature of the environment being audited.
- Perform the Pre-audit Planning: This phase entails doing a risk assessment. If the audit is a compliance audit, conducting a risk assessment is a must because it aids in establishing the scope, justifying your results, and arranging the focus. Understanding the company environment is one of the most critical things to do before proceeding with risk assessment in pre-audit planning. It is difficult for auditors to do risk assessments and identify assets unless and until they grasp the nature of the business. The availability of resources is also a significant consideration in pre-audit planning.
- Resource Management: Identify the technical skills and resources needed to conduct the audit in this step. Along with the budget, locations and facilities are identified. The identification and documenting of roles and responsibilities is also part of resource management.
- Determine the audit procedures: Identifying and establishing the audit methodology or strategy is a critical phase in the auditing process. Along with that, one of the most significant tasks is designing the audit program, which includes identifying the department's policies, procedures, and standards, as well as defining the Statement of Applicability (SOA), which describes the controls that the audit is evaluated against. Assuring the competency of auditors, lead auditors, and selecting suitable audit teams is a key component in developing audit procedures.
- Developing Tools & Techniques: Developing tools and methodologies to test and verify the controls is also required. Along with that, developing test scripts to effectively evaluate the controls is an important part of any audit program.
What is a Statement of Applicability?
A statement of applicability is a document that describes the controls and strategies that the organization has selected to address the identified risks. This document also discusses why these controls were chosen and how important they are. In addition, this document discusses whether or not the company's controls have been implemented, and if the organization has not implemented the controls, it also explains why any of these measures have been neglected. The statement of applicability document assists the auditor in successfully evaluating the controls in the organization.
These are the few critical steps that must be taken during the audit planning phase in order to provide a direction for the audit and ensure effective audit program implementation. In addition, it is critical to comprehend the management system requirements as well as the needs and expectations of all stakeholders.
I hope you found this information interesting! I'd love to hear your opinions on this article, and if there's anything else I might be missing, please don't hesitate to get in touch me.
IT Auditor-Consultant at CP CAN. Consulting
1 年Excellent! Excellent! Well written.....thanks for sharing, Chinmay
CISA, CRISC, CDPSE,CRMA, CPISI, LA 27001, ISSRW, AIMS Practitioner
2 年A good article. Thanks for sharing