Information System Audit and Control

Lecture No 2

IS Audit Resource Management

• The IS technology is constantly changing.• The IS Auditors maintain their competency

through updates of existing skills and obtaining trainings of new audit techniques.

• The IS auditor should be technically sound and should maintain technical competence through continuing professional education.

IS Audit Resource Management (Cont’d)

• A detailed staff training plan should be drawn based on technology and risk issues of an organization.

• The trainings should be arranged at least semi-annually.

• The IS audit management provides necessary IT resources needed to perform IS audits of a highly specialized nature (e.g software scanners for network intrusion tests).

Audit Planning

• Short term planning– Takes into account audit issues that will be

covered during the year.• Long term planning– Takes into consideration risk-related issues which

may affect the organization’s IT environment.• The planning of future audit activities should

be reviewed by senior audit management and approved by audit committee.

Audit Planning (Con’d)

• During audit planning, the IS auditor must have an understanding of the overall environment under review.– Various business practices and functions– Types of information systems– Supporting technology

• The IS Auditor should:– Gain an understanding of business’s objectives– Information and processing requirements

Audit Planning (Con’d)

– Identify policies, standards and guidelines– Perform risk analysis– Conduct IS control review– Set audit scope and audit objectives– Develop audit approach or audit strategy

• Identifying available audit resources and assigning appropriate tasks.