Audit Planning Flashcards
Individual Audit Assignments
In addition to overall annual planning, each individual audit assignment must be adequately planned.
An IS auditor should understand that other considerations,
such as the results of periodic risk assessments, changes in the application of technology, and evolving privacy issues and regulatory requirements, may impact the overall approach to the audit.
An IS auditor should also take into consideration
system implementation/upgrade deadlines, current and future technologies, requirements from business process owners, and IS resource limitations.
When planning an audit, an IS auditor must understand
the overall environment under review.
To perform audit planning, an IS auditor should perform the following steps:
- Gain an understanding of the organization’s mission, objectives, purpose and processes, which include information and processing requirements such as availability, integrity, security, and business technology and information confidentiality.
- Gain an understanding of the organization’s governance structure and practices related to the audit objectives.
- Understand changes in the business environment of the auditee. • Review prior work papers.
- Identify stated contents such as policies, standards and required guidelines, procedures, and organization structure.
- Perform a risk analysis to help in designing the audit plan. • Set the audit scope and audit objectives.
- Develop the audit approach or audit strategy.
- Assign personnel resources to the audit.
- Address engagement logistics.
An IS auditor would perform the following steps to determine an organization’s level of compliance with external requirements:
• Identify those government or other relevant external requirements dealing with: – Electronic data, personal data, copyrights, ecommerce, esignatures, etc.
– Information system practices and controls
– The manner in which computers, programs and data are stored
– The organization or the activities of information technology services – IS audits
• Document applicable laws and regulations.
• Assess whether the management of the organization and the IT function have considered the relevant external requirements in making plans and in setting policies, standards and procedures, as well as business application features.
• Review internal IT department/function/activity documents that address adherence to laws applicable to the industry.
• Determine adherence to established procedures that address these requirements.
• Determine if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities.
In an integrated application environment,
controls are embedded and designed into the business application that supports the processes.
Typical ecommerce architectures include the following types:
• Single-tier architecture is a client-based application running on a single computer.
• Two-tier architecture is composed of the client and server. • Three-tier architecture is comprised of the following:
– The presentation tier displays information that users can access directly such as a web page or an operating system’s (OS’s) graphical user interface.
– The application tier (business logic/applications) controls an application’s functionality by performing detailed processing.
– The data tier is usually comprised of the database servers, file shares, etc. andthe data access layer that encapsulates the persistence mechanisms and exposes the data.
For security reasons, persistent customer data should not
be stored on web servers that are exposed directly to the Internet.
