How to conduct an Audit?
Background Picture Credits: https://www.freepik.com/

How to conduct an Audit?

An audit is a systematic, independent, documented approach to objectively collect evidence and evaluate the controls against the audit criteria.

From information systems point of view an audit is a formal examination of information systems to determine whether these information systems:

  • Comply with the applicable laws, regulations and industry guidelines.
  • Comply with the governance criteria, policies and procedures.
  • Have proper levels of confidentiality, integrity and availability.
  • Perform information systems operations efficiently.
  • Fulfill the Effectiveness targets.

Whether it is a financial audit, an information security audit or a system audit, the three important phases of any audit program are - PLANNING, DOCUMENTATION & REPORTING.

This article outlines the first phase of an audit - Planning.

No alt text provided for this image

This is the first and most essential phase in the audit process, in which the entire audit program is established and all the elements required to carry out and perform an audit are enumerated. The audit steps executed in this phase are as follows.

  1. Determine the audit subject: In this step, all the key areas that are to be audited are identified and documented.
  2. Define the audit objective: This stage defines the audit's purpose. It could be a quarterly audit, a financial audit, an IS audit, or it could be done for regulatory or contractual reasons. This phase entails defining why the audit is being performed.
  3. Set the audit Scope: This is the most significant step in the planning phase, since the audit committee must identify the system, business processes, services, or units to be audited. Setting the audit scope allows the audit team to better grasp the nature of the environment being audited.
  4. Perform the Pre-audit Planning: This phase entails doing a risk assessment. If the audit is a compliance audit, conducting a risk assessment is a must because it aids in establishing the scope, justifying your results, and arranging the focus. Understanding the company environment is one of the most critical things to do before proceeding with risk assessment in pre-audit planning. It is difficult for auditors to do risk assessments and identify assets unless and until they grasp the nature of the business. The availability of resources is also a significant consideration in pre-audit planning.
  5. Resource Management: Identify the technical skills and resources needed to conduct the audit in this step. Along with the budget, locations and facilities are identified. The identification and documenting of roles and responsibilities is also part of resource management.
  6. Determine the audit procedures: Identifying and establishing the audit methodology or strategy is a critical phase in the auditing process. Along with that, one of the most significant tasks is designing the audit program, which includes identifying the department's policies, procedures, and standards, as well as defining the Statement of Applicability (SOA), which describes the controls that the audit is evaluated against. Assuring the competency of auditors, lead auditors, and selecting suitable audit teams is a key component in developing audit procedures.
  7. Developing Tools & Techniques: Developing tools and methodologies to test and verify the controls is also required. Along with that, developing test scripts to effectively evaluate the controls is an important part of any audit program.

What is a Statement of Applicability?

A statement of applicability is a document that describes the controls and strategies that the organization has selected to address the identified risks. This document also discusses why these controls were chosen and how important they are. In addition, this document discusses whether or not the company's controls have been implemented, and if the organization has not implemented the controls, it also explains why any of these measures have been neglected. The statement of applicability document assists the auditor in successfully evaluating the controls in the organization.

These are the few critical steps that must be taken during the audit planning phase in order to provide a direction for the audit and ensure effective audit program implementation. In addition, it is critical to comprehend the management system requirements as well as the needs and expectations of all stakeholders.

I hope you found this information interesting! I'd love to hear your opinions on this article, and if there's anything else I might be missing, please don't hesitate to get in touch me.

Chris Etwaroo MBA, FICB, CIA, CFA, CISP, CSTE, PPM

IT Auditor-Consultant at CP CAN. Consulting

1 年

Excellent! Excellent! Well written.....thanks for sharing, Chinmay

Sanjay Gore .

CISA, CRISC, CDPSE,CRMA, CPISI, LA 27001, ISSRW, AIMS Practitioner

2 年

A good article. Thanks for sharing

要查看或添加评论,请登录

Chinmay Kulkarni的更多文章

  • The One Skill That Will Set You Apart in Audit

    The One Skill That Will Set You Apart in Audit

    When it comes to audit, technical skills are essential - understanding IT general controls, IT application controls…

    3 条评论
  • How One Shortcut Made Audit Documentation 10x Faster

    How One Shortcut Made Audit Documentation 10x Faster

    Issue #9 Clarity with Chinmay When it comes to documenting work papers, there’s a lot that goes into it - screenshots…

  • Issue #8 Clarity with Chinmay

    Issue #8 Clarity with Chinmay

    10 Audit Principles I Wish I Knew Earlier I’ve been through the struggle of figuring this all out, and trust me, you…

  • Clarity with Chinmay Issue #7

    Clarity with Chinmay Issue #7

    How to Draft Effective Evidence Requests That Save Time Do you know the single most important thing that can solve…

    7 条评论
  • Issue #3 Clarity with Chinmay

    Issue #3 Clarity with Chinmay

    What's Next in Access Control Testing? Welcome to another edition of Clarity with Chinmay! Last time, we kicked off our…

  • Issue #43

    Issue #43

    Understanding IT Application Controls (ITAC): My Key Learnings In the world of IT audit, IT Application Controls…

    5 条评论
  • Audit - Fault Finding or Issuing Opinion?

    Audit - Fault Finding or Issuing Opinion?

    One question I hear often is, "Is audit just about finding mistakes?" It’s a common misconception. From my experience…

    4 条评论
  • Top 10 Questions for Access Control Walkthroughs - Part 1

    Top 10 Questions for Access Control Walkthroughs - Part 1

    Let's discuss the ten essential access control questions you should ask during your next audit. Access control is a…

    5 条评论
  • How to Conduct Effective IT Audits?

    How to Conduct Effective IT Audits?

    In this newsletter, we're diving into a topic critical for both seasoned auditors and those just starting their audit…

    1 条评论
  • The #1 Habit That Separates Top Auditors

    The #1 Habit That Separates Top Auditors

    Today's newsletter is one of the most important I've written on any topic. Understanding this topic will set you for…

    1 条评论

社区洞察

其他会员也浏览了