IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

G15 Planning1.` BACKGROUND1.1 Linkage to ISACA Standards1.1.1 Standard S5 Planning states, "The IS auditor should plan the information systems audit coverage to address the auditobjectives and to comply with applicable laws and professional auditing standards."1.2 Need for Guideline1.2.1 The purpose of this guideline is to define the components of the planning process as stated in standard S5 of the IS AuditingStandards.1.2.2 This guideline also provides for planning in the audit process to meet the objectives set by COBIT ® .2. PLANNING2.1 Business Requirements2.1.1 This guideline relates to a specific auditing project rather than the complete plan of an audit department or group.2.1.2 The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee relevant to the auditarea and its technology infrastructure. Where appropriate, the IS auditor should also consider the area under review and itsrelationship to the organisation (strategically, financially and/or operationally) and obtain information on the strategic plan,including the IS strategic plan.2.1.3 The IS auditor should have an understanding of the auditee’s information architecture and the auditee’s technologicaldirection to be able to design a plan appropriate for the present and, where appropriate, future technology of the auditee.2.1.4 Terms of reference should be part of the audit plan.2.1.5 A risk assessment and prioritisation of identified risks for the area under review and the organisation’s IS environment shouldbe carried out to the extent necessary. See the IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning.2.2 Knowledge of the Organisation2.2.1 Before beginning an auditing project, the work of the IS auditor should be planned in a manner appropriate for meeting theaudit objectives. As a part of the planning process IS auditors should obtain an understanding of the organisation and itsprocesses. In addition to giving the IS auditor an understanding of the organisation's operations and its IS requirements, thiswill assist the IS auditor in determining the significance of the IS resources being reviewed as they relate to the objectives ofthe organisation. IS auditors should also establish the scope of the audit work and perform a preliminary assessment ofinternal control over the function being reviewed.2.2.2 The extent of the knowledge of the organisation and its processes required by the IS auditor will be determined by the natureof the organisation and the level of detail at which the audit work is being performed. The IS auditor may require specialisedknowledge when dealing with unusual or complex operations. A more extensive knowledge of the organisation and itsprocesses will ordinarily be required when the audit objective involves a wide range of information system functions ratherthan when the objectives are for limited functions. For example, a review with the objective of evaluating control over anorganisation's payroll system would ordinarily require a more thorough understanding of the organisation than a review withthe objective of testing controls over a specific program library system.2.2.3 The IS auditor should gain an understanding of the types of events, transactions and practices that can have a significanteffect on the specific organisation, function, process or data that is the subject of the auditing project. Knowledge of theorganisation should include the business, financial and inherent risks facing the organisation as well as conditions in theorganisation's marketplace. It should also include the extent to which the organisation relies on outsourcing to meet itsobjectives. The IS auditor should use this information in identifying potential problems, formulating the objectives and scope ofthe work, performing the work and considering actions of management for which the IS auditor should be alert.2.3 Materiality2.3.1 In the planning process, the IS auditor should ordinarily establish levels of planning materiality such that the audit work will besufficient to meet the audit objectives and will use audit resources efficiently. For example, in the review of an existing systemthe IS auditor will evaluate materiality of the various components of the system in planning the audit programme for the workto be performed. The IS auditor should consider both qualitative and quantitative aspects in determining materiality. Forfurther information on materiality, see the IS Auditing Guideline G6 Materiality Concepts for Auditing Information Systems.2.4 Risk Assessment2.4.1 An assessment of risk should be made to provide reasonable assurance that all material items will be adequately coveredduring the audit work. This assessment should identify areas with relatively high risk of existence of material problems.2.5 Internal Control Evaluation48
G15 Planning continued2.5.1 Auditing projects should include consideration of internal controls either directly as a part of the auditing project objectives oras a basis for reliance upon information being gathered as a part of the auditing project. Where the objective is evaluation ofinternal controls the IS auditor should consider the extent to which it will be necessary to review such controls. When theobjective is to assess the effectiveness of controls over a period of time the audit plan should include procedures appropriatefor meeting the audit objectives, and these procedures should include compliance testing of controls. When the objective isnot to assess the effectiveness of controls over a period of time, but rather to identify control procedures at a point in time,compliance testing of controls may be excluded.2.5.2 When the IS auditor evaluates internal controls for the purpose of placing reliance on control procedures in support ofinformation being gathered as part of the audit, the IS auditor should ordinarily make a preliminary evaluation of the controlsand develop the audit plan on the basis of this evaluation. During a review, the IS auditor will consider the appropriateness ofthis evaluation in determining the extent to which controls can be relied upon during testing. For example, in using computerprograms to test data files, the IS auditor should evaluate controls over program libraries containing programs being used foraudit purposes to determine the extent to which the programs are protected from unauthorised modification.3. DOCUMENTATION3.1 Planning Documentation3.1.1 The IS auditor's workpapers should include the audit plan and the programme.3.1.2 The audit plan may be documented on paper or in another appropriate and retrievable form.3.2 Plan Endorsement3.2.1 To the extent appropriate, the audit plan, audit programme and any subsequent changes should be approved by the auditmanagement.3.3 Audit Programme3.3.1 A preliminary programme for a review should ordinarily be established by the IS auditor before the start of the work. This auditprogramme should be documented in a manner that will permit the IS auditor to record completion of the audit work andidentify work that remains to be done. As the work progresses, the IS auditor should evaluate the adequacy of the programmebased on information gathered during the audit. When the IS auditor determines that the planned procedures are notsufficient, the IS Auditor should modify the programme accordingly.3.3.2 Depending on the audit resources required, the IS auditor should include management of the personnel resources required inthe audit plan.3.3.3 The audit plan should be prepared so that it is in compliance with any appropriate external requirements in addition to ISAuditing Standards.3.3.4 In addition to a listing of the work to be done, the IS auditor should, to the extent practicable, prepare a list of personnel andother resources required to complete the work, a schedule for the work, and a budget.3.3.5 During the course of the work, the IS auditor should consider changes to the audit programme based on the IS auditor'sevaluation of the adequacy of the programme and the IS auditor's preliminary findings.4. EFFECTIVE DATE4.1 This guideline is effective for all information systems audits beginning on or after 1 March 2002.49
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 12 and 13: information provided, appropriate t
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 26 and 27: G5 Audit Charter continued2.3.2 The
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 38 and 39: G11 Effect of Pervasive IS Controls
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 46 and 47: G14 Application Systems Review1. BA
Page 50 and 51: G16 Effect of Third Parties on an O
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63: G19 Irregularities and Illegal Acts
Page 64 and 65: G19 Irregularities and Illegal Acts
Page 66 and 67: G20 Reporting continued2.1.1 The pu
Page 68 and 69: G20 Reporting continued• Statemen
Page 70 and 71: G21 Enterprise Resource Planning (E
Page 78 and 79: G22 Business-to-consumer (B2C) E-co
Page 86 and 87: G23 System Development Life Cycle (
Page 88 and 89: G23 System Development Life Cycle (
Page 90 and 91: G24 Internet Banking continued• I
Page 92 and 93: G24 Internet Banking continued6.1.2
Page 94 and 95: G24 Internet Banking continued7.2.4
Page 96 and 97: G24 Internet Banking continuedREFER
Page 98 and 99:
G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?