Basics

Information Systems Audit: The Basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step.

By Jennifer Bayuk

Page 2

It is sometimes a challenge for auditors representing management interests to map the audit objective onto technology. They first identify business activity that is most likely to yield the best type of evidence to support the audit objective. They identify what application systems and networks are used to handle the information that supports the business activity. For example, an audit may focus on a given IT process, in which case its scope will include the systems used to create input for, to execute, or to control the IT process. An audit focused on a given business area will include the systems necessary to support the business process. An audit that focuses on data privacy will cover technology controls that enforce confidentiality controls on any database, file system, or application server that provides access to personally identifiable data.

From the point of view of the IT Manager, scope should be clear from the outset of the audit. It should be a well-define set of people, process, and technology that clearly correspond to the audit objective. If an auditor does not understand the technology environment prior to the beginning of an audit, there may be mistakes in scope definition. Where such mistakes happen, they are often caught in the course of the audit, and systems that previously were not in scope may be declared to be in scope. The audit professional calls this "scope creep." They generally try to avoid it, because the consequence is that more resources than planned will be necessary to meet the audit objective.

Once a scope is determined, an auditor will be provided with a contact for the review. In some organizations, the role of audit liaison is formally assigned. This role often falls to an information security professional, but there is no expectation on the part of audit that it would be someone in security. By default, it would be the highest ranking person in the IT management chain whose responsibilities fully cover the systems within the scope of the audit. This contact will be requested to provide background information on the systems that an auditor can use to plan the audit. Policies, architecture diagrams, systems manuals, and other sorts of documentation will often be requested in advance of an audit.

Management Practices and the Control Environment

The preliminary data gathering effort allows the auditor to verify that the scope has been set correctly, and also to form a set of control objectives, which will be the basis for audit testing. Control objectives are management practices which are expected to be in place in order to achieve control over the systems to the extent required to meet the audit objective. Auditors will repeatedly emphasize that control objectives are management practices. It is expected that the control objectives have been consciously established by management, that management provides leadership and resources to achieve control objectives, and that management monitors the environment to ensure that control objectives are met. Control environment is management behavior that provides leadership and accountability for controls; it is synonymous with the succinct phrase: the tone is set at the top. It is an absolute and nonnegotiable requirement for every audit that management responsibility with respect to system operation be undeniably clear to all within the organization under review.