IT auditing is a branch of general auditing concerned with governance (control) of information and communications technologies (computers). IT auditor reviews the adequacy and effectiveness of the controls to minimise the IT related risks. Examples of IT risks are unauthorised access, system down, virus threat and loss of data.
Before planning for audit, IT auditor must have an understanding of the environment under review and perform the followings:-
1. Gain an understanding of the business mission, business vision, business purpose, business processes.
2. Identify policies, standards, guidelines, procedures and organisation structure
3. Evaluate risk assessment carried out by the management
4. Perform a risk assessment
1.Gain an understanding of the business mission, business vision, business purpose, business processes
Steps that will be or have been taken to gain an understanding of the business include:
· Tour key organisation facilities
· Reading background materials including annual report
· Reviewing long-term strategic plans
· Interview or meet with key managers to understand business issue
· Reviewing prior audit reports (internal and external)
2.Identify policies, standards, guidelines, procedures and organisation structure
The purpose of this exercise is to determine the governance (control) in place or control that should be in place.
Legal and statutory regulation should also be look into.
3.Evaluate risk assessment carried out by the management
The purpose of this exercise is to determine the areas of management concern. This will be used to identify the auditable areas.
4.Perform a risk assessment
The purpose of this risk assessment is to classify the risk of auditable areas ranging from high, medium and low and determine the priority of the areas that will be audited.
Labels: IT Audit
