03. Planning an IS Audit
This chapter will dive deeper into the crucial aspect of Information Systems (IS) Auditing – planning. Imagine building a house without a blueprint or embarking on a long road trip without a map. In both cases, the lack of planning can lead to chaos and uncertainty. Similarly, in IS auditing, planning is the blueprint that guides us in navigating the complex landscape of information systems. It is the foundation upon which the entire IS audit process rests.
Our discussion starts with the development of risk-based IS audit plans. In doing so, we will discuss the intricacies of risk-based IT audit planning, aligning audit plans with organizational goals, and documenting and gaining stakeholder approval for the IS audit plan.
Next, we will discuss the nature, role, and importance of risk assessment and materiality in IS audits. We will explore identifying, analyzing, and evaluating IS risks. Moreover, we will discuss the IS auditor’s ongoing role in continuous risk monitoring. This will serve as a lead-in to the discussion around the relevant elements of an IS audit program, providing a comprehensive understanding of its structure and purpose. We will also consider various IS auditing methodologies and procedures.
Having a plan is one thing, but executing it effectively is another. In addition to reviewing the relevance and types of evidence-gathering techniques, we will also discuss the IS auditor’s need to obtain sufficient and appropriate audit evidence. Sampling is a fundamental aspect of IS auditing, and in the final part of this chapter, we will explore the intricacies of audit sampling. Specifically, we will review various sampling methods used in IS audits and understand how to determine sample sizes and confidence intervals. We will also consider how sampling errors can impact audit conclusions.
The primary objective of this chapter is to proffer the foundational knowledge and skills needed to create a robust IS audit plan, assess risks, develop an audit program, gather evidence effectively, and employ sampling techniques. These skills are essential in becoming a proficient IS auditor, ready to address the challenges and opportunities in the dynamic field of information systems auditing.
Learning Objectives
By the end of this chapter, you should be able to
- Develop comprehensive risk-based IS audit plans that align with organizational goals.
- Identify, analyze, and evaluate IS risks, allowing them to prioritize audit activities effectively.
- Develop IS audit programs that outline audit procedures, methodologies, and key considerations for different audit engagements.
- Understand the concept of materiality and its influence on decision-making during the IS audit process.
- Apply relevant evidence-gathering techniques to effectively collect and analyze audit evidence.
- Utilize various sampling methods, including determining sample sizes, calculating confidence intervals, and managing sampling errors.
The process of determining the focus, objectives, and scope of an IT audit.
The process of identifying, analyzing, and evaluating risks inherent in information systems.
The ongoing process of overseeing risk factors to identify and respond to risks in real-time.
The approaches and techniques used in conducting IS audits.
Methods used by auditors to collect evidence, such as inquiry, observation, and analysis.
The process of examining a subset of data or transactions to conclude on the entire dataset in an audit.
Errors that occur when the selected sample does not accurately represent the entire population.
