With the release of its white paper Information Systems Auditing Tools and Techniques:  Creating Audit Programs, ISACA describes the basic steps to create an audit program. This white paper is part of a series created to deliver practical guidance on how to perform an audit engagement—from planning to reporting and closing—that is consistent with ISACA Auditing Standards (ITAF) as well as those issued by the Public Company Accounting Oversight Board (PCAOB), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public Accountants (AICPA).

Information systems (IS) audits help enterprises ensure effective, efficient, secure and reliable operation of information technology. Audits can also help confirm compliance with numerous legal and administrative regulations, and help management determine if the business is functioning well and meeting challenges. Most importantly, audits assure stakeholders of the organization’s financial, operational and ethical well-being. All of these outcomes are supported by IS audits, especially the information and related technology and systems that most businesses and public institutions rely upon for a competitive advantage.

An important component of the audit plan is the audit program. Audit programs are commonly used to document the specific procedures and steps of testing and verifying control effectiveness. The audit program’s quality has significant impact on the consistency and quality of the audit results, so it is imperative that IS auditors understand how to develop comprehensive audit programs.

The many benefits of an effective audit depend on proper and thorough planning of the audit engagement. To make this happen, the auditor and the area being audited must understand and accept the scope and objective of the audit. Once the purpose is defined, the next step is to create an audit plan that captures the agreed scope, objectives and procedures required to get the relevant, reliable and sufficient evidence to draw and support audit conclusions and opinions.

To demonstrate the process described in the white paper, ISACA has released a sample audit and assurance program developed using a five-step process to gather the necessary information to define the audit subject, objective, scope and audit methodology. The sample audit program for a virtual private network can be customized to create a specific audit and assurance program tailored to your unique needs.

The documents are intended for IT audit professionals who are either new to the profession preparing to the Certified Information Systems Auditor (CISA) or simply want to brush up on their skills.

To learn more see the white paper here.

Eva Sweet, Technical Research Manager, ISACA

[ISACA Now Blog]

By Philip Hung Cao

Philip Hung Cao (aka #tekfarmer), MSCS, ZTX-I, CCISO, CISM, CCSP, CCSK, CASP, GICSP, PCNSE is a Strategist, Advisor, Contributor, Educator and Motivator. He has 20 years' experience in IT/Cybersecurity industry in various sectors & positions.

Leave a Reply