Basics

Information Systems Audit: The Basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step.

By Jennifer Bayuk

Page 4

In the event that an auditor can find no evidence corresponding to a given control objective, this issue will be labeled as a finding. A documented audit finding should have four or five parts. These are:

Condition: a factual description of audit evidence
Criteria: some standard that indicates why the condition impairs management ability to achieve control objectives
Cause: the root cause of the situation that introduced the control weakness
Effect: the risk that the condition presents to the audited organization, stated in terms of potential business impact
Recommendation: an appropriate management response (optional)

At any given point during the fieldwork, an auditor will have a list of potential findings. They may not yet be fully documented, but the condition may be known. The IT management contact for the audit should frequently touch base with the auditor during the fieldwork, and ask whether there are any potential findings. It is the role of the IT contact to assist both management and the auditor in the quest for evidence that would provide assurance that the control objective is met, and thus eliminate the finding.

The Assessment Report

Whether or not there are any audit findings, an audit will conclude with an assessment report. This is the formal opinion of the auditor with respect to the topic of the management concern driving the audit objective. The audit objective will be stated, the audit methodology will be briefly described, and there will be a statement with respect to the auditor's professional opinion on whether the management concern is adequately addressed. Where there are findings, these will be listed. The report may also include recommendations for management activity that would reduce the impact of the findings. In cases where auditors are permanent employees of the organization, or on retainer to monitor recurring management concerns (such as financial statement generation), they may request formal management commitment to a specific plan designed to eliminate the finding. This remediation activity is often formally tracked to completion. The audit is often considered to remain "open" until the remediation activity is complete.

An IT manager whose work is within the scope of an audit has a responsibility to cooperate with the auditor's quest to validate a management concern. The audit should precede smoothly to the extent that the accountable IT manager has a complete understanding of the source of the management concern, is satisfied with translation of that concern into an audit objective, agrees that the scope maps directly to the objective, maintains evidence that control objectives are met, and fully understands the auditor's reasoning with respect to findings. Where there is disagreement with the auditor on any of these key aspects of the audit, the issue should be escalated through the IT management chain. This internal IT management communication may or may not have any effect on the audit process, but it will serve to demonstrate that the auditee fully understands the audit process, and is willing to open discuss and informed debate on audit issues.