1. Assessment of internal controls within the IS environment to assure validity, reliability, and security information. 2. Assessment of the efficiency and effectiveness of the IS environment in economic terms. Different audit organizations go about IS auditing in different ways and individual IS auditors have their own favourite methodology and strategies. The audit methodology is a set of documented audit procedures designed to achieve audit objectives. The audit strategy is the audit methodology.
36 | K I B U B I T 4 1 2 2 0 1 8 / 2 0 1 9 Components of Audit Methodology 1. A statement of scope 2. Statement of audit objectives 3. Statement of work programs Audit objective(s) refers to the specific goal of an audit. An audit may incorporate several audit objectives. Audit objectives often centre around substantiating that internal controls exist to minimize business risk. Management may give the IS auditor a general objective to follow when performing an audit. Audit Risk and Materiality More and more organizations are moving to a risk-based audit approach that is usually adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist with an IS auditors’ decision to either do compliance testing or substantive testing. In a risk-based audit approach, IS auditors are not just relying on risk they also rely on internal and operational controls as well as knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk allowing practical choices. Business risks are the concerns about the probable effects of an uncertain event on achieving established objectives. The nature of business risks may be: o Financial o Regulatory o Operational By understanding the nature of the business, IS auditors can categorize the types of risks that will better determine the risk model or approach in conducting the audit. Risk-Based Approach This approach emphasizes on knowledge of the business and technology. It focuses on o Assessing the effectiveness of a combination of controls o Linkage between risk assessment and testing focusing on control objectives o The business from a management perspective Types of Risks 1. Inherent risk: The risk that an error exists which could be material or significant when combined with other errors encountered during the audit assuming that there are no related compensating controls 2. Control risk: The risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls. 3. Detection risk: The risk that an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when in fact they do.
- Spring '19
- IT Systems