IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

G5 Audit Charter continued2.3.2 The audit charter forms a sound basis for communication with auditees and should include references to service levelagreements for such things as:• Availability for unplanned work• Delivery of reports• Costs• Response to auditee complaints• Quality of service• Review of performance• Communication with auditees• Needs assessment• Control risk self assessment• Agreement of terms of reference for audits• Reporting process• Agreement of findings2.4 Quality Assurance Process2.4.1 The IS auditor should consider establishing a quality assurance process (e.g., interviews, customer satisfaction surveys,assignment performance surveys, etc.) to understand the auditees’ needs and expectations relevant to the IS audit function.These needs should be evaluated against the charter with a view to improving the service or changing the service delivery oraudit charter, as necessary.3. ENGAGEMENT LETTER3.1 Purpose3.1.1 Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship betweenexternal IS audit and an organisation.3.2 Content3.2.1 The engagement letter should clearly address the three aspects of responsibility, authority and accountability. Aspects toconsider are set out in the following paragraphs.3.2.2 Responsibility• Scope• Objectives• Independence• Risk assessment• Specific auditee requirements• Deliverables3.2.3 Authority• Right of access to information, personnel, locations and systems relevant to the performance of the assignment• Scope or any limitations of scope• Evidence of agreement to the terms and conditions of the engagement3.2.4 Accountability• Intended recipients of reports• Auditees’ rights• Quality reviews• Agreed completion dates4. EFFECTIVE DATE4.1 This guideline is effective for all information systems audits beginning on or after 1 September 1999.26
G6 Materiality Concepts for Auditing Information1. BACKGROUND1.1 Linkage to Standards1.1.1 Standard S5 Planning states “The IS auditor should plan the information systems audit coverage to address the auditobjectives and comply with applicable laws and professional auditing standards.”1.2 Need for Guideline1.2.1 The IS Auditing Guideline G15 Planning states “In the planning process, the IS auditor should ordinarily establish levels ofplanning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resourcesefficiently.” (Paragraph 2.3.1)1.2.2 Financial auditors ordinarily measure materiality in monetary terms, since what they are auditing is also measured andreported in monetary terms. IS auditors may audit non-financial items, e.g., physical access controls, logical access controls,program change controls, and systems for personnel management, manufacturing control, design, quality control, passwordgeneration, credit card production and patient care. IS auditors may therefore need guidance on how materiality should beassessed in order to plan their audits effectively, focus their effort on high risk areas and assess the severity of any errors orweaknesses found.1.2.3 This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how toachieve implementation of the above standard, use professional judgment in its application and be prepared to justify anydeparture.2. PLANNING2.1 Assessing Materiality2.1.1 The assessment of what is material is a matter of professional judgment and includes consideration of the effect on theorganisation as a whole of errors, omissions, irregularities and illegal acts which may arise as a result of control weaknessesin the area being audited.2.1.2 In assessing materiality, the IS auditor should consider:• The aggregate level of error acceptable to management, the IS auditor and appropriate regulatory agencies• The potential for the cumulative effect of small errors or weaknesses to become material2.1.3 In planning sufficient audit work to meet the audit objectives, the IS auditor should identify the relevant control objectives anddetermine, based on materiality, which controls will be examined. With respect to a specific control objective, a materialcontrol is a control or group of controls without which control procedures do not provide reasonable assurance that the controlobjective will be met.2.1.4 Where the IS audit objective relates to systems or operations that process financial transactions, the value of the assetscontrolled by the system(s) or the value of transactions processed per day/week/month/year should be considered inassessing materiality.2.1.5 Where financial transactions are not processed, the following are examples of measures which should be considered toassess materiality• Criticality of the business processes supported by the system or operation• Cost of the system or operation (hardware, software, staff, third-party services, overheads, or a combination of these)• Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicityrequired for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage,etc.)• Number of accesses/ transactions /inquiries processed per period• Nature, timing and extent of reports prepared and files maintained• Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)• Service level agreement requirements and cost of potential penalties• Penalties for failure to comply with legal and contractual requirements• Penalties for failure to comply with public health and safety requirements3. REPORTING3.1 Identifying Reportable Issues3.1.1 In determining the findings, conclusions and recommendations to be reported, the IS auditor should consider both themateriality of any errors found and the potential materiality of errors which could arise as a result of control weaknesses.3.1.2 Where the audit is used by management to obtain a statement of assurance regarding IS controls, an unqualified opinion onthe adequacy of controls should mean that the controls in place are in accordance with generally accepted control practices tomeet the control objectives, devoid of any material control weakness.3.1.3 A control weakness should be considered material, and therefore reportable, if the absence of the control results in failure toprovide reasonable assurance that the control objective will be met. If the audit work identifies material control weaknesses,the IS auditor should consider issuing a qualified or adverse opinion on the audit objective.3.1.4 Depending on the objectives of the audit, the IS auditor should consider reporting to management weaknesses which are notmaterial, particularly when the costs of strengthening the controls are low.27
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 12 and 13: information provided, appropriate t
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 38 and 39: G11 Effect of Pervasive IS Controls
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 46 and 47: G14 Application Systems Review1. BA
Page 48 and 49: G15 Planning1.` BACKGROUND1.1 Linka
Page 50 and 51: G16 Effect of Third Parties on an O
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63: G19 Irregularities and Illegal Acts
Page 64 and 65: G19 Irregularities and Illegal Acts
Page 66 and 67: G20 Reporting continued2.1.1 The pu
Page 68 and 69: G20 Reporting continued• Statemen
Page 70 and 71: G21 Enterprise Resource Planning (E
Page 76 and 77:
G21 Enterprise Resource Planning (E
Page 78 and 79:
G22 Business-to-consumer (B2C) E-co
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
G23 System Development Life Cycle (
Page 88 and 89:
G23 System Development Life Cycle (
Page 90 and 91:
G24 Internet Banking continued• I
Page 92 and 93:
G24 Internet Banking continued6.1.2
Page 94 and 95:
G24 Internet Banking continued7.2.4
Page 96 and 97:
G24 Internet Banking continuedREFER
Page 98 and 99:
G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

Create successful ePaper yourself

Delete template?

Save as template?