03.03. Developing an IS Audit Program

Briefly reflect on the following before we begin:

• What should be included as key components of an IS audit program?
• What are some pitfalls in developing an effective IS audit program?
• How can IS Auditors prepare flexible programs to address common challenges faced in developing an IS audit program?

In this section, we will discover the intricacies and methodologies in crafting an effective IS audit program, including its elements and role in guiding auditors through the nuanced landscape of IS audits.

An IS audit program is not merely a checklist; it’s a comprehensive framework that outlines the objectives, scope, timing, and direction of IS audits. It is a strategic guide that aligns the audit process with the organization’s goals and risk landscape so that the audit program is not only thorough but also pertinent to the specific needs and risk profile of the organization.

We will explore the components that form the backbone of an IS audit program, including the audit objectives, which define what the audit aims to achieve; the scope, detailing the breadth and depth of the audit; the resources, outlining the manpower, tools, and techniques required; and the timeline, which provides a schedule for audit activities. We will also review various IS auditing methodologies and procedures that serve as a toolkit of approaches that can be adapted to different audit environments. The methodologies range from traditional to innovative, each with its unique strengths.

Moreover, we will consider the importance of continuous improvement and adaptation in IS audit programs as it underscores the dynamic nature of technology and business environments, necessitating that audit programs be flexible and responsive to change. IS auditors must stay abreast of emerging trends, risks, and technologies, ensuring their audit programs remain relevant and effective. Lastly, we will briefly discuss the soft skills required for developing an IS audit program, including communication, negotiation, and stakeholder management skills

The IS Audit Program, Methodologies, and Procedures

A well-structured and thoughtfully developed IS audit program serves as a roadmap, guiding auditors through the complex landscape of information systems. An audit program is a step-by-step set of audit procedures and instructions that should be performed to complete an audit. It is based on the scope and objective of the specific audit engagement. The primary purposes of an audit program are to accomplish the following:

• Formal documentation of audit procedures and sequential steps
• Creation of procedures that are repeatable and easy to use by internal or external audit and assurance professionals who need to perform similar audits
• Documentation of the type of testing that will be used (compliance and/or substantive)
• Meeting generally accepted audit standards that relate to the planning phase in the audit process

The elements of an IS audit program are the building blocks for a successful audit as they ensure that the audit is aligned with organizational goals, appropriately scoped, well-resourced, effectively timed, and focused on key risk areas. A well-crafted IS audit program can enhance the audit process and contribute significantly to the organization’s overall risk management and governance efforts.

IS auditing methodologies and procedures form the backbone of the audit process as they connect the risk-based multi-year IS Audit plan to the execution and reporting on assurance and advisory engagements.

Imagine you are preparing for a long journey. Before embarking, you need a well-defined route, a list of essentials, and a plan for different scenarios you might encounter. Similarly, audit program development is akin to mapping out the journey you will undertake during the audit. It ensures that auditors are well-prepared and that the audit process remains structured and organized.

The exact order and details of planning an engagement, including establishing the objectives and scope, may vary according to the individual organization’s needs, audit activity, and engagement. However, the following key components are included in an effective IS Audit Program:

Defining Audit Objectives

The first step in developing an IS audit program is defining clear, precise audit objectives. These objectives set the direction for the audit and ensure its alignment with the organization’s goals and regulatory requirements. The engagement objectives articulate what the engagement is attempting to accomplish; therefore, the objectives should have a clear purpose, be concise, and be linked to the risk assessment. Well-defined objectives not only guide the auditor but also clarify the purpose and scope of the audit for stakeholders. They should be specific, measurable, and achievable, reflecting the unique aspects of the organization’s IT environment and business processes. A crucial part of this process is understanding the organization’s strategic objectives, as the audit should support and enhance these goals. IS auditors should validate that the objectives of the audit align with the business objectives of the area or process under review. The audit engagement should focus on ensuring controls are in place to effectively mitigate the risks that could prevent the area or process from accomplishing its business objectives. Audit objectives must also consider the probability of significant errors, fraud, noncompliance, and other exposures.

High-level audit objectives are typically established when finalizing the audit universe. This may include an evaluation of the:

• Accuracy, validity, classification, and/or completeness of transactions and activities
• Appropriate authorization of select processes.
• Reliability of IS processing.
• Integrity of data and programs.
• Appropriateness of IS development and implementation.
• Adequacy of the safeguards around data and programs.
• Continuity of business process management.

Determining the Scope of the Audit

Once the risk-based objectives have been formed, the scope of the audit engagement can be determined. Because an engagement generally cannot cover everything, IS auditors must determine what will and will not be included. The engagement scope sets the boundaries of the engagement and outlines what will be included in the review. IS auditors must carefully consider the boundaries of the engagement to ensure that the scope will be sufficient to achieve the engagement’s objectives.

The scope may define such elements as the specific processes and/or areas, geographic locations, and period (e.g., point in time, fiscal quarter, or calendar year) that will be covered by the engagement, given the available resources. IS auditors must carefully consider the breadth of the scope to ensure it enables timely identification of reliable, relevant, and useful information to accomplish the identified engagement objectives. To confirm that the scope meets the audit objectives and aligns with the organization’s annual audit plan, IT auditors must use sound professional judgment based on relevant experience and/or supervisory assistance. They must also consider relevant systems, records, personnel, and all physical properties.

IT auditors should consider legal factors affecting the engagement scope and approach. For example, if the organization or area under review has nondisclosure agreements with third parties, the organization may be required to notify regulatory authorities before starting the engagement. Pending or imminent litigation and cases of noncompliance should also be considered. Once the audit has begun, any work program modifications, including any scope changes, must be approved. Additionally, IT auditors should consider whether a separate consulting engagement is warranted if significant consulting opportunities arise during the audit. If so, a specific written understanding as to the objectives, scope, respective responsibilities, and expectations should be reached, and the results of the consulting engagement should be communicated by consulting standards.

Reviewing Existing Client Controls

A control may be defined as any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Overall, internal control objectives, at a detailed level, can be seen to encompass reliability and integrity of information, compliance with policies, plans, procedures, laws, and regulations, safeguarding of assets, as well as efficiency and effectiveness of operations.

An important aspect of an IS Auditor’s methodology is to identify the existing controls and assess their design and operating effectiveness in addressing the risks faced by the organizations.

Internal controls can be classified into various types and it is the combination of these controls that go to make up the overall system of internal controls designed to achieve the general control objectives. Such controls can be classified into:

• Preventative controls, which occur before the fact but can never be 100% effective and therefore cannot be wholly relied upon. These could include controls such as user restrictions, password requirements, and separate authorization of transactions.
• Detective controls, which detect irregularities after occurrence and may be cheaper than checking every transaction with a preventative control. Such controls could include the effective use of audit trails and the use of exception reports.
• Corrective controls ensure the correction of problems identified by detective controls and normally require human intervention within the IT. Controls in this area may include such processes as Disaster Recovery Plans and transaction-reversal capabilities. Corrective controls are highly error-prone because they occur in unusual circumstances and typically require a human decision to be made and an action decided upon and implemented. At each stage in the process, a subsequent error will have a multiplier effect and may compound the original mistake.
• Directive controls are designed to produce positive results and encourage acceptable behaviour. They do not themselves prevent undesirable behaviour and are commonly used where there is human discretion. Thus, informing all users of personal computers that it is their responsibility to ensure adequate backups are taken and stored appropriately does not enforce compliance. Nevertheless, such a directive control can be monitored and action taken where the power is breached.
• Compensating controls can exist where a weakness in one rule may be compensated by a power elsewhere. They are used to limit risk exposure and may trap the unwary evaluator. This is particularly true where the auditors are faced with complex integrated systems, and the control structures involve a mixture of system-driven and human controls scattered over a variety of operational areas.

Controls may be manual or automated, where manual controls are implemented by manual intervention and automated controls are implemented by the computer system itself. Controls may also be application or general IT, with application controls having to do with the business function and general IT controls being about the running of the IT function. See Chapter 5 and Chapter 6 for more details on these controls.

Given the overall control objectives noted in the preceding section, control structures must be designed to ensure:

• Segregation of duties: Controls to ensure that those who physically handle assets are not those who record asset movements. Nor are they the same people who reconcile those records nor even those who authorize such transactions. Within a modern computer system this is normally achieved by a combination of user identification, user authentication, and user authorization.
• Competence and integrity of people: Underpinning the control system are the people who enforce it. For controls to be effective, those who exercise control must be capable of doing so and honest enough to consistently do so. This means that simply having users follow procedures is inadequate in a modern information systems environment, and a high degree of risk and control awareness is required to ensure that the controls function as intended.
• Appropriate levels of authority: A common mistake in control structures is granting too much authority within control boundaries. Authorities should only be granted on a need-to-have basis. If there is no need for a particular individual to have specific authorities, they should not be granted. Obviously this requires effort on the part of those individuals who assign authorities in identifying which levels of authority are in fact needed and which are simply desired. It is, unfortunately, still true in many sites that access control is limited to user authentication and after such authentication the user will then have unrestricted access into all functional areas within IT.
• Accountability: For all decisions, transactions, and actions taken, there must be controls that will determine who did what with an acceptable degree of confidence. This normally involves the use of control logs and audit trails. Simply maintaining such logs and records can be counterproductive because they can lull the organization into a false sense of security. For such records to be an effective control they must be scrutinized regularly and appropriate action taken to remedy any discrepancies noted.
• Adequate resources: Controls that are attempted with inadequate resources will typically fail whenever they come under stress. Adequate resources include manpower, finance, equipment, materials, and methodologies. Management frequently underestimates the cost of resources to implement controls, and IT auditors commonly recommend controls, giving no thought to the cost of such control and management’s lack of resources to implement.
• Supervision and review: Adequate supervision of the appropriate type is fundamental to the implementation of sound internal control. It is unfortunately still true that in many cases people do not do what is expected, but only what is inspected.

Within the information systems there are three primary software components that add to or subtract from control. These components are as follows:

• Systems Software includes computer programs and routines controlling computer hardware, processing, and non-user functions. This category includes the operating systems, telecommunications software, and data-management software.
• Applications Software includes computer programs written to support business functions such as the general ledger, payroll, stock systems, order processing, and other such line-of-business functions.
• End-User Systems are special types of application systems that are generated outside the IT organization to meet specific user needs. These include micro-based packages as well as user-developed systems. In many cases these systems were designed to achieve specific operational goals and may or may not have been designed with appropriate controls implemented.

A robust control framework may include the following control types along with their objectives:

• General Control Objectives: These objectives, general in nature, cover the overall aspects of the integrity of information, computer security, and compliance with policies, plans, rules, laws, and regulations.
• Application Control Objectives: Application systems have their own sets of built-in controls primarily business-systems oriented. Generally, they include such control objectives as accuracy, completeness, and authorization.
• Program Control Objectives: The development and running of computer programs are subject to their own control objectives and procedures. Control objectives would include ensuring:
  • Integrity of programs and processing
  • Prevention of unwanted changes
  • Ensuring adequate design and development control
  • Ensuring adequate testing
  • Controlled program transfer
  • Ongoing maintainability of systems
• Corporate Governance: The importance of good governance has become a watchword internationally and has been driven by the requirements of the global economy for transparency and accountability in organizational stewardship. Corporate governance involves the mechanisms by which a business enterprise is directed and controlled. It concerns the mechanisms through which corporate management is held accountable for corporate conduct and performance and provides the framework within which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.

Lastly, a good internal control system must also include regular communication of updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods. Organizations must periodically assess risks and the level of internal control required to protect the organization’s IT asset management and records related to those risks. Progressive organizations also document the process for review, including when it will take place. Finally, management must take the responsibility for making sure that all staff are familiar with policies and changes in those policies.

Audit Criteria

IS auditors select criteria against which the subject matter will be assessed that are objective, complete, relevant, measurable, understandable, widely recognized, authoritative, and understood by, or available to, all users of the report. Identifying such criteria ensures that assurance engagement objectives are measurable, practical, and aligned with the organization’s objectives and the area or process under review. IS auditors must use the criteria already established by management and/or the board if such criteria exist. IS auditors must identify appropriate criteria through discussion with management and the board if no criteria exist. IS auditors should also consider seeking input from subject matter experts to help develop relevant criteria.

Examples of effective audit criteria include the following:

• Existing key performance indicators.
• Targets set during strategic planning.
• The degree of compliance with area or process policies and procedures, regulations, and/or contracts.
• Industry standards or benchmarks.

Adequate criteria will provide a reference for IS auditors to evaluate evidence, understand findings, and assess the adequacy of the controls in the area or process under review. The criteria, or lack thereof, should be compared to industry benchmarks, trends, forecasts, and the organization’s policies and procedures.

Audit Timeline, Scheduling, and Resource Allocation

Developing a realistic timeline and schedule for the audit is a critical aspect often overlooked. The timeline should account for all phases of the audit, from planning to reporting and should include specific milestones and be flexible enough to accommodate unforeseen delays or issues. Effective scheduling is a balancing act – it requires careful planning to ensure that each phase of the audit receives the attention it needs without rushing or unnecessarily prolonging the process. Coordination with various stakeholders to align schedules and availability is also crucial.

An IS audit is only as effective as the team behind it and the resources at their disposal; hence, allocating the right mix of skills and resources is vital. This includes selecting team members with diverse expertise in IT, auditing, and the specific industry. IS Audit executives must aim to create a multidisciplinary team capable of addressing the varied aspects of an information system. Additionally, ensuring that the team can access necessary tools, such as communications tools, audit working paper management software, and data analytics tools, is essential for a thorough and effective audit.

Other Considerations

The two more important aspects of the IS Auditing methodology and procedures (apart from the ones discussed above) are Evidence-gathering Techniques and Audit Sampling. Both these aspects are discussed in depth in the following two sections.

Beyond these, it is vital to note that the landscape of IS auditing has seen a transformative shift from traditional to modern techniques. Traditional methods, often manual and time-consuming, were focused on physical verifications and paper trails. As technology advanced, these methods evolved. Modern techniques now leverage digital tools and software, enhancing efficiency and accuracy. The transition from traditional to modern methodologies is not just a change in tools; it’s a paradigm shift in how auditors approach data and processes. This evolution is crucial for auditors to understand, as it reflects the dynamic nature of the field.

Emerging technologies such as Artificial Intelligence (AI), blockchain, and cloud computing are reshaping the IS auditing landscape. These technologies present new challenges and opportunities for auditors. For instance, with its decentralized and immutable ledger, blockchain technology requires a different auditing approach than traditional databases. Similarly, cloud computing introduces concerns related to data sovereignty and security. Auditors must stay informed about these developments and adapt their methodologies and procedures accordingly. Among others, the three most relevant technological considerations for IS Auditors are as follows:

Having a thorough understanding of the IS auditing methodologies and procedures is fundamental for aspiring and practicing IS auditors. The shift from traditional to modern techniques, the integration of data analytics and CAATs, the importance of standardized documentation, and the adaptation to emerging technologies are all crucial aspects. This knowledge is not static; it evolves with technology and business landscape. As such, auditors must be lifelong learners, continually updating their skills and understanding to remain effective in their roles. More importantly, beyond the technical knowledge, IS Auditors must also be cognizant of the soft skills (or enabling competencies) that will render them effective while implementing the IS audit program. Some of the most relevant soft skills expected from effective IS Auditors include the following: