Audit method and document about CISA
The audit method refers to a series of written audit procedures designed to achieve predetermined audit objectives. Its contents include the audit scope, audit objectives, and audit steps. The audit method should be formulated and approved by the audit management and maintain consistency. And the audit method should be formal and communicated to all auditors.
The stages of audit are listed below. The key result in the early stage of the audit process is the audit procedure, which records all audit steps that should be followed, as well as the degree and type of evidence material inspected, as a guide for implementing the audit.
1. Audit objects Identify audit fields
2. Audit objectives
Clarify the audit goal, for example: the goal may be to examine whether the source code is changed in a well-designed and controlled environment
3. Audit scope Determine the specific system, function or unit to be checked in the organization, for example: In the above source program change audit, the audit scope may be limited to a certain application system or within a certain period.
4. Audit plan
Identify the required technical skills and resources, determine the source of information for testing or inspection, such as: functional flow diagrams, policies, standards, procedures and previous audit work papers to determine the audit location or facility
5. Audit procedures and steps for data collection
Select and determine the audit method for testing and verifying the control, determine the interviewee list, collect and determine the department policies, standards and guidelines to be inspected Develop audit tools and methods for testing and verifying the control.
6. Procedure for evaluating test or inspection results
Varies by organization
7. Communication procedures with management personnel
Varies by organization
8. Prepare audit report
Determine follow-up audit procedures, determine procedures for testing and evaluating operational effectiveness and efficiency, and determine control testing procedures. Check and evaluate the rationality of documents, policies and procedures.
Although the audit process does not have to fully follow a series of specific steps (IS auditors generally follow), the next step is to at least gain an understanding of the audited entity, evaluate the control structure, and perform control tests. Audit institutions should develop and approve a set of audit methods as the minimum steps that all audit tasks must follow. All audit plans, procedures, activities, findings and incidents should be properly recorded in the working paper. The format and medium of the working paper can be appropriately changed according to the specific needs of the department. IS auditors should pay special attention to how to maintain the integrity of the audit test evidence and protect its value as an audit result supporting evidence. The work record can be regarded as a bridge or link between the audit target and the final report. As the track and support of the audit work, the work record can provide a seamless connection from the target to the report and from the report to the target. The audit report can also be regarded as a kind of special working papers.
The audit document is the evidence supporting the audit conclusion, so it should be clear, complete, easy to retrieve and understand. Audit documents are usually the property of audit entities, and only authorized persons can access them. When external organizations need to access these documents, auditors should obtain the approval of senior management or clients. IT auditors or audit departments should also formulate policies for custody, retention and release of audit documents.
The audit documentation should include at least the following records: ･Planning and preparation of audit objectives and scope ･Describe the defined audit areas or perform audit procedures ･Audit steps performed and audit evidence collected ･Use the services of other auditors and experts to audit findings, conclusions and recommendations
The relationship between audit documents and document identification and time is recommended to include in the audit documents: Evidence of audit supervision and inspection as a copy of the audit report as the result of the audit work.
In the project management audit process, the primary concern is the analysis of business benefits. Business case is the core purpose of an IT project implementation. When carrying out informatization construction, in essence, all need to obtain business benefits. For example, if an enterprise wants to expand sales channels and increase sales through the e-commerce system, then one of the goals of the business benefit analysis of the construction project of the e-commerce system can increase the company’ s sales by 30% after the system goes online. As another example, if a company launches a CRM system, then the objectives of its business case should include an increase in the integrity of the customer’ s data, a repeat customer rate of 50%, and so on. If a company invests in a warehouse management system, the desired business benefits may include a 30% increase in inventory turnover. In short, looking at the value of IT projects to the organization from a business perspective is what the business case hopes to achieve.
In general, if we need an IT system or an organization to make an IT investment, then we must explain to leader that what can our organization get benefit after taking this project. This benefit is indeed business benefit. Recall that in our actual work situation, generally we will do a feasibility analysis report at the beginning of the project. This feasibility analysis report is a specific form of business benefit analysis.