Basics

Information Systems Audit: The Basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step.

By Jennifer Bayuk

Page 3

The control objectives serve as a checklist to ensure that the auditor has covered the complete scope of the audit, while the planned technology tests may change during the course of the audit. In advance of any on-site meeting with an auditee, an auditor will associate each control objective with a set of activities that would provide evidence that the control objective is met. As far as possible, they will devise tests in advance that should yield evidence that the activities are well established and produce reliable results. The control objectives and associated test plans are referred to as the audit program.

When the auditor is ready to begin actual audit testing, the management contact will be requested to schedule an opening meeting. The contact is expected to meet the auditor upon arrival, and to facilitate auditor communication with other IT personnel whose services may be required to assist in the performance of audit tests. If at all possible, the contact should obtain a copy of the audit program prior to the opening meeting in order to schedule resources adequate to support the audit process. If not, the auditor should be requested to bring it to the opening meeting so that the affected management can review it at that time, and use it to schedule resources with the auditor (or audit team) accordingly.

Fieldwork, Findings and Compensating Controls

Audit fieldwork is the process of identifying the people, process, and technology within a given systems environment that correspond to expected control activities. Management accountable for audit results should do their best to ensure that an auditor is always speaking with the expert in the area under review. They should caution personnel not to make guesses in responses to audit questions, but instead to refer the auditor to the appropriate subject matter expert, or back to the accountable management contact.

As every security professional knows, it is extremely difficult to keep abreast of all the new management tools and techniques required to control IT, much less to determine which is the best fit to meet a given control objective. In recognition of this difficulty, audit programs are usually quite well established and uncontroversial. They are stated in general terms and can be supported with a wide variety of technology tools and techniques.

Where auditors cannot find evidence that a control objective is met, they will circle back to the accountable manager to see if there is some activity with the organization that qualifies as meeting the objective which was not anticipated by the auditor, due to inexperience or unfamiliarity with the control environment. If they find it, they may refer to it as a "compensating control." This allows them to conclude that the control objective is met even though the control activity they expected does not exist, because the newly found activity compensates for the lack of the expected one.