So how should the IS audit function be organized in an organization. By organization we mean what should be the scope and objectives. How it should be managed collectively and at individual audit level. Among other things related to IS audit management are audit planning, actual audit implementation, IS audit resource management, effect of prevalent legislation on the audit function and application of IS audit standards and guidelines etc. However, at the strategic level organization of IS audition function entails:
- Performing and managing audit tasks to fulfil audit objectives
- Ensuring competence of the audit function to perform different types of IS audits
- Ensuring audit independence
- Value addition to the organization when it comes to IT operations and management which in turn support achievement of organization goals and objectives.
Organization of IS Audit Function
IS audit role should be clearly defined by an Audit charter. It is not necessary that the IS audit should be a standalone department. It can very well be a part of the internal audit, financial audit or many times as an independent audit group.
The audit charter is the main document from where the objectives, role and scope of IS audit derives. The overall responsibility for IS audit is that of management and it is delegated to the IS audit function via the charter. And like in the case of internal audit function, the charter has to be approved by the highest level of management in the organization and if possible by the audit committee or board.
Any subsequent changes to the audit charter may also follow the same approval hierarchy and based on justification. It is also required by the ISACA auditing standards that the scope, authority, responsibility and accountability of the IS audit function should be well documented and approved either by an IS Audit charter or an entity engagement letter.
Difference between Audit Charter and Engagement Letter
While audit charter is a broad document that encompasses all the audit activities, an engagement letter is more targeted and often limited to a single audit engagement with clear objectives.
In case the IS audit services are being provided by an external entity, then the scope, nature of audit and all other details should be clearly agree upon and documented in the form of a contract or a statement of work.
The most critical thing to remember is that whether it is an internal or external engagement, management of IS audit should ensure that its function is independent and most preferably they should be reporting to an audit committee or the highest level of senior management, which may be the board of directors.