Information Audit Process

Updated: Dec 21, 2020

1. Information Audit

The audit function should be managed and guided to ensure that the audit tasks implemented by the audit team can meet the requirements of the audit function while maintaining the independence and competence of the audit.

Functional management is to obtain audit authorization. We must carry out an effective definition and management of the responsibility and authority of our audit work. Performing audit work is an inspection work, and it will be difficult to carry out the work if a sufficiently high authorization is required.

Hashtags:#InformationAuditProcess #AuditPlan #ISAuditAndAssuranceStandards #IT #AuditPlan

#ISACA #InformationAuditSystem #Audit #InformationAudit

Two basic characteristics of auditing: independence and competence. Independence emphasizes the independence of functions and the independence of skills. Competency means that auditors must have a solid professional foundation.

IS audit services can be provided internally or externally.

• The role of the IS internal audit function should be determined by the audit charter.

The audit charter should clearly state the management’s responsibilities, objectives, and authorizations for IS audit responsibilities. The top management and audit committee should approve the charter. A charter is a powerful tool for obtaining authorization.

2.Audit Plan

The audit plan contains audit objectives and the audit process required to meet these objectives. In the IS audit planning stage, the main objective of the auditor is to achieve the audit objectives, the auditor must first review the overall business environment.

The long-term plan mainly considers the related risks caused by the impact of the organization’s IT strategic policy on the IT environment. The short-term plan mainly takes what to be implemented into consideration.

Steps of audit plan:

・Understand the business mission, objectives, objectives, and processes, including information and processing requirements. For example, availability, integrity, security and business technology, and information confidentiality.

・Identify relevant regulations such as policies, standards, and required guidelines, procedures, and organizational requirements.

・Implement risk analysis to help create an audit plan.

・Determine audit objectives and audit scope.

・Develop audit methods or audit strategies.

・Allocate human resources to audit matters.

・Implement logistics support of the project.

3. ISACA IS Audit and Assurance Standards

There are mainly three kinds of audit standards-standards, criteria, tools, and techniques.


General standard (1000 Series) - is the guiding principle for IS audit and assurance professionals. These standards apply to the performance of all tasks and also relate to the ethics, independence, objectivity, and due diligence of is audit and assurance professionals, as well as knowledge, professional competence, and skills. The statement of standards (in BOLD) is mandatory.

Performance standards (1200 series)-related to task execution, such as planning and supervision, task scope, risks and importance, resource mobilization, supervision, and task management, audit and attestation evidence, as well as professional judgment and due prudence.

Reporting standards (1400 series)-related to reporting types, communication methods, and information conveyed.


General criteria (2000 Series)

Performance criteria (2200 Series)

Report criteria (2400 Series)

・Tools and techniques

Tools and techniques to provide additional guidance for IS audit and assurance professionals, such as White Papers, IS audit/assurance plans, and COBIT 5 product series.

4. Risk Analysis

Risks refer to the threats using the vulnerability of assets to cause damage to the organization. Risks analysis is a part of the audit plan, which helps IS auditors to identify risks and vulnerabilities, evaluate existing control measures, and then rank these risks in order. Those with high risk should be given priority to solve.

Risk assessment process:

・identify business objectives

・identify information assets

・conduct risk assessment

・conduct risk mitigation

・conduct risk disposal

Several methods of risk treatment:

・reduce risk, accept the risk

・avoid risk

・transfer/share risk

Risk assessment needs to be reviewed regularly for continuous improvement. In the actual audit process, expert analysis or management guidance is generally used.

5. Internal Control

Internal control usually consists of policy, process, practice, and organizational structure. In order to reduce the risk, protect the safety of its assets, ensure the accuracy and reliability of accounting information, a series of systems, strategies, methods, and procedures are adopted within the organization.

Control measures include preventive (in advance), detection (in the event), and corrective (after the event). In fact, adding a hash value in the information transmission can’t prevent the data from being tampered with, but through hash monitoring, you can know that the data has been tampered with. That is what the use of the detection measure.

Auditors focus on whether internal control exists, whether the design of control is effective and reasonable, and whether the implementation is good. If all of them are well done, then we think the risk is relatively low. If one part is not well done, then we should execute an independent audit to constantly improve the system and ensure smooth operation.

Recent Posts

See All


Launched in 2016 as 591Lab International. We are committed to offering our clients excellent experience on ISACA, PMI, Cisco and Huawei examination preparatory services. We focus strongly on popular exams, and exam preparations services. We provide our customers with the complete training needed to earn the best scores for their respective Management and IT career certifications. We have a huge list of satisfied customers with top grades to back up all the claims we make.

Quick Links


#1    Emma Xiu

Whatsapp: +86 135 2066 9321


#2    Zoey Pei

Whatsapp: +86 157 3679 8918


#3    Jenny Zhang

Whatsapp: +86 185 1429 4188


This material is not sponsored by, endorsed by, or affiliated with Cisco Systems, Inc & Huawei Technologies Co., Ltd. Cisco Certified Internetworking Engineer, the Cisco Systems logo and the CCIE™ logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries.Huawei Certified Internetwork Expert, the Huawei logo and the HCIE™ logo are trademarks or registered trademarks of Huawei Technologies Co., Ltd . in China and certain other countries All other trademarks are trademarks of their respective owners. 

© Copyright 591Lab 2020. All Rights Reserved.