Updated: Dec 21, 2020
1. Information Audit
The audit function should be managed and guided to ensure that the audit tasks implemented by the audit team can meet the requirements of the audit function while maintaining the independence and competence of the audit.
Functional management is to obtain audit authorization. We must carry out an effective definition and management of the responsibility and authority of our audit work. Performing audit work is an inspection work, and it will be difficult to carry out the work if a sufficiently high authorization is required.
Two basic characteristics of auditing: independence and competence. Independence emphasizes the independence of functions and the independence of skills. Competency means that auditors must have a solid professional foundation.
• IS audit services can be provided internally or externally.
• The role of the IS internal audit function should be determined by the audit charter.
The audit charter should clearly state the management’s responsibilities, objectives, and authorizations for IS audit responsibilities. The top management and audit committee should approve the charter. A charter is a powerful tool for obtaining authorization.
The audit plan contains audit objectives and the audit process required to meet these objectives. In the IS audit planning stage, the main objective of the auditor is to achieve the audit objectives, the auditor must first review the overall business environment.
The long-term plan mainly considers the related risks caused by the impact of the organization’s IT strategic policy on the IT environment. The short-term plan mainly takes what to be implemented into consideration.
Steps of audit plan:
･Understand the business mission, objectives, objectives, and processes, including information and processing requirements. For example, availability, integrity, security and business technology, and information confidentiality.
･Identify relevant regulations such as policies, standards, and required guidelines, procedures, and organizational requirements.
･Implement risk analysis to help create an audit plan.
･Determine audit objectives and audit scope.
･Develop audit methods or audit strategies.
･Allocate human resources to audit matters.
･Implement logistics support of the project.
3. ISACA IS Audit and Assurance Standards
There are mainly three kinds of audit standards-standards, criteria, tools, and techniques.
General standard (1000 Series) - is the guiding principle for IS audit and assurance professionals. These standards apply to the performance of all tasks and also relate to the ethics, independence, objectivity, and due diligence of is audit and assurance professionals, as well as knowledge, professional competence, and skills. The statement of standards (in BOLD) is mandatory.
Performance standards (1200 series)-related to task execution, such as planning and supervision, task scope, risks and importance, resource mobilization, supervision, and task management, audit and attestation evidence, as well as professional judgment and due prudence.
Reporting standards (1400 series)-related to reporting types, communication methods, and information conveyed.
General criteria (2000 Series)
Performance criteria (2200 Series)
Report criteria (2400 Series)
･Tools and techniques
Tools and techniques to provide additional guidance for IS audit and assurance professionals, such as White Papers, IS audit/assurance plans, and COBIT 5 product series.
4. Risk Analysis
Risks refer to the threats using the vulnerability of assets to cause damage to the organization. Risks analysis is a part of the audit plan, which helps IS auditors to identify risks and vulnerabilities, evaluate existing control measures, and then rank these risks in order. Those with high risk should be given priority to solve.
･identify business objectives
･identify information assets
･conduct risk assessment
･conduct risk mitigation
･conduct risk disposal
Several methods of risk treatment:
･reduce risk, accept the risk
Risk assessment needs to be reviewed regularly for continuous improvement. In the actual audit process, expert analysis or management guidance is generally used.
5. Internal Control
Internal control usually consists of policy, process, practice, and organizational structure. In order to reduce the risk, protect the safety of its assets, ensure the accuracy and reliability of accounting information, a series of systems, strategies, methods, and procedures are adopted within the organization.
Control measures include preventive (in advance), detection (in the event), and corrective (after the event). In fact, adding a hash value in the information transmission can’t prevent the data from being tampered with, but through hash monitoring, you can know that the data has been tampered with. That is what the use of the detection measure.
Auditors focus on whether internal control exists, whether the design of control is effective and reasonable, and whether the implementation is good. If all of them are well done, then we think the risk is relatively low. If one part is not well done, then we should execute an independent audit to constantly improve the system and ensure smooth operation.