A major part of work of a Certified Information Systems Auditor is auditing itself. Though CISA professionals may be positioned in certain companies where they will not be doing an audit, but a lot of the times auditing will be their main work.
And IS auditing is not a lot different from other auditing types. So IS auditors also follow the auditing process that other auditors do. Primarily this is a four stage process:
- Field Work
- Follow up/Corrective Action
Here are details of activities that you will be doing in each step of auditing process:
As you will expect from a professional, you have to plan your auditing assignment well before you actually start your work. During the planning process, we understand the entity well by looking at the information available to us before actually visiting the entity.
We may look at the Permanent File (which has documented information about the entity from the previous years and which is updated and made current every year), or we may look at other publicly available information.
We may also request the entity for any information they can share before start of audit e.g financial statement, applicable legislation or standards/procedures, basic information about entity systems/applications or network diagrams etc.
During planning process of auditing, we try to understand the entity risks and prioritize these so that we could focus most of our energies to the highest risk areas. Based on the potential work, we also assign resources (human, technical and financial) during planning of auditing process. We also develop our audit program and auditing procedures at this stage.
We may visit the entity at this stage and start with a kick-off meeting with the entity management. During the entity meeting, we explain the scope of our work and how we would be performing our IS audit.
After the meeting, we start our audit work according to our audit program. We request for information and review it keeping in view our understanding of standards and other applicable procedures. Any violations are recorded as exception. It is critical that we document reliable evidence to support our observations.
This is the stage in auditing process where we integrate all of our exceptions/observations and write an audit report. A good audit report also has an Executive Summary which briefly explains the results of an audit, the material observations, the areas for improvement and the standards/methods followed for audit.
The audit report also explains each observation/exception individually and where appropriate annexes the sample of evidence. However, if evidence risks exposure of confidential data, the evidence may be confidentially shared with the entity. The audit report is formally issued to the management for their reply, but only after exit meeting where overall results of audit process are shared.
Follow Up/Corrective Action:
An auditors work doesn’t finish after issuing report. It is also part of the audit process to work with the management to expedite the corrective actions suggested by the auditor as recommendations.
The follow-up process includes agreeing with the management on suitable timelines for recommendations. Sometimes, the management may respond with additional information which might help the auditor understand the exception better, and he may agree with the management’s point of view and settle the audit observation.
As you can immediately see that planning is perhaps the most important steps in the auditing process. If you just visit client without proper planning, you cannot expect a great audit report regardless of how hard you work. You will feel pushed and short of time because most audit assignments are time bound.