It Audit Execution Tools Book 3
It Audit Execution Tools Book 3
IT AUDIT EXECUTION
TOOLS - BOOK 3
TOOLS TO SUPPORT
EFFECTIVE IT AUDIT PROJECTS
2
IT Audit Execution Tools - Book 3: Tools to Support Effective IT Audit Projects
1st edition
© 2021 John Kyriazoglou & bookboon.com
ISBN 978-87-403-3878-2
3
IT AUDIT EXECUTION TOOLS - BOOK 3 Contents
CONTENTS
Dedication 6
Overview 7
1 IT Audit Program 8
1.1 Audit Program: General Definition 8
1.2 IT Audit Program 8
1.3 Example of an IT Audit Program 9
2 IT Audit Checklist 17
2.1 Description 17
2.2 How to create an IT Audit Checklist 17
2.3 IT Systems Development Checklist Example 18
3 IT Audit Questionnaire 25
3.1 Brief description 25
3.2 IT Audit Questionnaire Evaluation Method 25
3.3 Example: IT Strategy Audit Questionnaire 26
3.4 Evaluation of Answers 30
4
IT AUDIT EXECUTION TOOLS - BOOK 3 Contents
End Notes 63
Chapter 5 64
Bibliography 65
5
IT AUDIT EXECUTION TOOLS - BOOK 3 Dedication
DEDICATION
This book is dedicated to my closest family members that support me with all their hearts
and souls: Sandy, Miranda, Chris and Dimitri and above all, Melina, our most precious
gem and princess of our life on this planet.
6
IT AUDIT EXECUTION TOOLS - BOOK 3 Overview
OVERVIEW
Overview: This book (third in the series of 5 books) describes a set of IT Audit Execution
Tools that support IT Auditing (e.g., IT Audit Programs, IT Audit Checklists, IT Audit
Questionnaires, IT Audit Report, Audit Testing Methods, etc.), how to create IT Audit
Programs, IT Audit Checklists and IT Audit Questionnaires, how to evaluate audit answers,
the problems of traditional way of IT auditing, system testing practices, Automated Audit
Software Packages (CAATs), Visual Audit Tools, etc.
These tools are designed to carry out IT Audit Projects and support the audit process,
methods, techniques and controls identified in the other 4 books of this series.
7
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
1 IT AUDIT PROGRAM
Overview: This chapter defines an IT Audit Program, describes a set of tasks to prepare
it (Part A: Preparation of audit activities; Part B: Execution of audit tasks; and Part C:
Reporting audit findings and results), and presents an example of an IT Audit Program
that may be used to examine the effectiveness of the IT function of ‘ABCD SA’, a fictitious
private company.
After preparing an audit plan, the auditor allocates the work and prepares a program which
contains steps that the audit team needs to follow while conducting an audit.
Thus, an auditor prepares a program that contains detailed information about various steps
and audit procedures to be followed by the audit.
The main objective of an audit program is to create a framework that is detailed enough
for anyone in the company or outside, to understand what assessments and examinations
have been completed, what conclusions have been reached and what the reasoning is behind
each conclusion.
8
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
The preparation of each IT Audit Program follows the steps and processes mentioned in
Chapter 4 ‘IT Audit Methodology’ (of Book 1).
Contents: This audit program includes the following parts: Part A (Preparation of audit
activities); Part B (Execution of audit tasks); and Part C (Reporting audit findings and results).
9
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
Task A.2. Documentation Review. Review the above IT Governance related documents with
the auditees to get a full understanding of how these are applied in their every-day practice.
Task A.3. Select Audit Testing Methods. Select one or more testing methods (i.e., Inquiry,
Observation, Inspection of Evidence, Re-performance, CAATs, as per Appendix 1: Audit
Testing Methods) to perform various compliance or substantive tests as regards these
documents and controls.
Action 2. Interview the appropriate staff to assess if the above risks have been identified
and whether mitigation measures have been implemented.
Task A.5. Completion: Selection of IT audit areas and issues (as per Appendix 2. IT
Audit Areas and Issues) to be audited, and preparation and completion of the IT audit
questionnaires and IT audit checklists that will be used for this audit.
10
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
11
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
12
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
13
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
14
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
You may use Appendix 3 ‘IT Systems Testing Methodology’ to carry out your tests and
record the results.
4.3. Determine that appropriate input controls are used to ensure accuracy and completeness
of data.
15
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program
4.5. Determine that appropriate output controls are used to ensure accuracy, completeness,
timeliness, and proper distribution of data processed.
4.6. Assess the quality of the IT Application audited. For more details, see ‘Appendix 4:
IT Application Quality Audit Program’.
4.7. Use visual tools (Appendix 7) to understand better the IT Application System you will
be auditing, detect gaps and anomalies, and create tests, as required.
For more assessment actions, also see the following support tools:
1. IT Audit Programs in Book 4 (‘IT Audit Support Tools 1’), and
2. IT Audit Questionnaires in Book 5 (‘IT Audit Support Tools 2’).
16
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
2 IT AUDIT CHECKLIST
Overview: This chapter describes how to create an IT Audit Checklist and presents an
example of an ‘IT System Development Checklist’.
2.1 DESCRIPTION
A checklist is a type of job aid used to reduce failure by compensating for potential limits of
human memory and attention. It helps to ensure consistency and completeness in carrying out
a task1. A basic example is the ‘to do list’. A more advanced checklist would be a schedule,
which lays out tasks to be done according to time of day or other factors. A primary task
in checklist is documentation of the task and auditing against the documentation.
An IT Audit Checklist often uncovers specific deficiencies that cause major problems for an
IT function (e.g., IT Operations) or IT Audit Area (e.g., IT Personnel Management). Once
you walk through the checklist, you can clearly see areas where processes and procedures
are lacking or where they might be absent altogether.
With the constantly changing IT technology, your business could be at risk for a variety of
reasons. Plus, there is the reality that hackers and cyber-security threats are also constantly
evolving. When you follow through with an IT Audit Checklist, you are proactively addressing
the reality of today’s IT world and doing your part to protect your IT investments, systems,
applications as well as your business.
Step 2. Familiarize yourself with the rules, regulations and standards for the area to be
audited, inspected, assessed, etc.
Step 3. Review the application of the methodologies, policies, rules, regulations and standards
for the area you will be auditing by doing the following:
17
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
3.1. Identify the key concepts, phrases, words and requirements of these rules, regulations
and standards.
3.2. Write phrases or questions to determine if the requirements have been met.
Step 4. Locate the corrective actions that have been done during your audit process.
Step 5. Determine what other policies, procedures, work instructions, flowcharts, etc. apply
to this process.
Step 6. Define the support processes and how these processes interact with the process to
be audited. Support processes may include training, auditing of documents and files, and
resource management. etc.
The replies in each item below are only documented to give you an idea how to use a
checklist like this.
18
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
• Executive Summary
• Problem Description
• Suggested Solutions
• Feasibility Elements
• Development Plan of the proposed Information System
• Recommendations to Management
• Appendix (Minutes of meetings, list of documentation and procedures examined,
technical and financial details, etc.).
• Executive Summary,
• Summary of Analysis and Design
• Requirements and Needs of Users,
• Description of a future ‘logical’ system,
• Description of a future ‘physical’ system,
• System flowcharts,
• Data flow diagrams,
• Entity-relationship diagrams,
19
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
• Process narratives
• System Restrictions, and
• Appendix (Minutes of meetings, program development budget, list of supporting
documentation, etc.).
3.7. Tests for each program, sub-system and whole system: Yes
• Purpose and diagrams for each program of the information system (e.g., program
flowcharts, decision tables, structure charts, etc.)
• Printouts of source code
• Descriptions of data entering and exiting the system
20
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
4.4. Operational procedures (security, backup, recovery, performance monitoring, data base
space management, etc.), tested before production status: Yes
• Instructions for completing all forms for entering data into the system (input
source, form and receiving instructions)
• Instructions for transmitting reports and other digital media to other systems or sites
• Technical operating instructions for configuring and executing system workflows
in the computer system
• Instructions for performing backup, recovery and re-start procedures
• Instructions for correcting errors, etc.
21
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
Remarks: Procedure needs improvement. Users and management need to become aware
and approve this stage.
22
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
23
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist
IT Audit Checklists are used to support the assessment actions of the IT Audit Programs.
For more examples, see Appendix 6: Data Protection and IT Security Checklist.
24
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
3 IT AUDIT QUESTIONNAIRE
Overview: This chapter describes an IT Audit Questionnaire Evaluation Method and an
example of a standard IT Strategy Audit Questionnaire.
Grade 1 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is specified by an industry or company standard, is approved
and monitored by management, ratified by the board, known to staff and applied always
effectively. This is the perfect situation.
Grade 2 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is approved and monitored by management, known to staff and
applied effectively most of the time. This is a somewhat perfect situation.
Grade 3 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to staff and applied effectively in very many cases but
not monitored by management. This is the middle-case situation.
Grade 4 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to some staff and applied sometimes, depending on the
person involved, but not monitored by management. This is the next to the worst situation.
Grade 5 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to very few staff and applied rarely or not at all and
not monitored by management. This is the worst situation.
25
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
Evaluation of answers
There are a number of questions that cover specific topics. The correct and effective answers to
these questions can be evaluated as follows:
Step 1: Summarize all grades per question, i.e., how many “1”, how many “2”, etc.
Step 2: Summarize all “NO” answers and give them a grade of “5” = N.
Step 3: Total sum of grades “1”, “2”, “3”, “4”, and “5”.
Step 4: Multiply the grades as follows:
1. This result (A) shows the degree of readiness of the company for the specific IT
issue (i.e., IT strategy), on a scale of 1 to 100.
2. The closer the result is to 100, the better IT strategy will work. The further
away it is, the more IT strategy needs to be improved.
3. For example a result > 70% means that the business has an IT strategy but
needs further improvements.
4. A result of < 60% indicates a lot of improvement.
5. A result of < 40% requires radical improvement, and so on.
Purpose
The purpose of this questionnaire (IT Strategy Audit Questionnaire Example) is to assist
and support the effort to diagnose and determine the degree of readiness of the specific
company for IT strategic issues. For each of the following questions, the answer should be
noted, as per above paragraph (3.2. IT Audit Questionnaire Evaluation Method).
26
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
Q2. Are there business plans and objectives at the overall level, level of operation, level of
service, level of management / unit?
Answer: Yes: X No: ____GGrade: 3 ____G
Q3. Are there an IT vision, mission and overall IT business strategy implemented and to
what level of effectiveness?
Answer: Yes: X No: ____G Grade: 5 ____G
Q5. Is there a communication system used to inform all parties of the strategies, policies,
goals, and customer service issues and concerns?
Answer: Yes: X No: ____GGrade: 1 ____G
Q6. Is the vision, mission and business strategy of the company understood and supported
by all levels of the organization?
6.1. Staff?
Answer: Yes: X No: ____GGrade: 3 ____G
6.2. Suppliers?
Answer: Yes: X No: ____GGrade: 3 ____G
6.4. Customers?
Answer: Yes: X No: ____GGrade: 4 ____G
6.5. Management?
Answer: Yes: X No: ____GGrade: 2 ____G
27
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
Q7. Is the IT vision, mission and IT strategy of the company understood and supported
by all levels of the organization?
7.1. Staff?
Answer: Yes: X No: ____GGrade: 1 ____G
7.2. Suppliers?
Answer: Yes: X No: ____GGrade: 5 ____G
7.4. Customers?
Answer: Yes: X No: ____GGrade: 4 ____G
7.5. Management?
Answer: Yes: X No: ____GGrade: 3 ____G
28
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
Q2. Have the reasons for the required IT systems and operations been clearly and
comprehensibly identified and approved, as required?
Answer: Yes: X No: ____GGrade: 2 ____G
Q3. Is the IT vision, mission and objectives equally acceptable to all management and users?
Answer: Yes: X No: ____GGrade: 4 ____G
Q4. Do end-user managers have full understanding and commitment to the company’s
vision, mission and goals and do they believe they have the full support of leadership?
Answer: Yes: X No: ____GGrade: 3 ____G
Q5. Do end-user managers have full understanding and commitment to IT’s vision, mission
and goals and do they believe they have the full support of IT?
Answer: Yes: X No: ____GGrade: 2 ____G
Q6. Do IT staff have a full understanding and commitment to the vision, mission and
goals of IT?
Answer: Yes: X No: ____GGrade: 1 ____G
Q7. Do IT staff have the full support of management in issues and difficulties of implementing
IT systems?
Answer: Yes: X No: ____GGrade: 5 ____G
Q8. Do IT staff have the required theoretical and practical training, qualifications and skills
to deal with and effectively solve the implementation issues of IT systems?
Answer: Yes: No: X ____GGrade: 0 ____G
Q9. Is there a full understanding of the time, effort, success factors and risks of implementing
an IT system?
Answer: Yes: X No: ____GGrade: 2 ____G
Q10. Are there approved financial resources for the design, maintenance and improvement
of IT systems?
Answer: Yes: X No: ____GGrade: 1 ____G
Q11. Is there an approved methodology and development standards for the design, operation,
maintenance and improvement of IT systems?
Answer: Yes: X No: ____GGrade: 5 ____G
29
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire
Q12. Are external partners providing IT services and support managed well?
Answer: Yes: X No: ____GGrade: 2 ____G
Step 1: Summarize all grades per question, i.e., how many “1”, how many “2”, etc.
Step 2: Summarize all “NO” answers and give them a grade of “5” = N.
Step 3: Total sum of grades “1”, “2”, “3”, “4”, and “5”.
Auditor remarks: As described above (see paragraph 3.2. ‘IT Audit Questionnaire Evaluation
Method’) a compliance indicator of 46.09 % (100% is perfect) indicates that the IT strategy
issue of the specific company requires a lot of improvement.
30
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
It also includes a set of recommendations for each audit finding to improve the situation
documented during the audit as well as other elements that complement the audit.
31
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
Part C. Appendix
This part contains the most detailed description of the data and reasoning of the IT auditor
as well as all the results, findings and recommendations of the IT audit with financial and
other data, etc.
These contents of the IT Audit Report and especially ‘Part B. Detailed Results, Findings
and IT Audit Recommendations’ are further analyzed below.
Audit Objectives: A description of the audit objectives pre-agreed with the audit committee or
other senior management body of the company. For example: ‘Examination of the operation
and effectiveness of the IT Function and systems of the company (‘XYZ Corporation’ a
fictitious Maritime entity) on the basis of international standards and good practice.
32
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
1. E-Mail server,
2. Personnel Management System,
3. Crew Management System,
4. Vendor Management System,
5. Customer Management System,
6. Financial Management System and
7. Fleet Management System.
In addition to these, the standard application package ‘MS Office’ (Word, Excel, PowerPoint,
etc., of Microsoft) is used to process personal and other in an office environment. The full
details are contained in the Register of Personal Data and the register of IT assets.
In order to mitigate the impact of various risks (e.g., security, data protection, etc., as per
Appendix XXX), and to remedy the consequences resulting from the faults and findings
described in each IT Audit Area, a set of specific improvement recommendations are proposed
to management by the IT Auditor.
The IT Audit Approach to carry out this audit is detailed in Appendix A of this report.
The ‘IT Audit Programs’, ‘IT Audit Questionnaires’ and ‘IT Audit Evaluation Criteria’
used to compile and assess the audit findings and make the IT audit recommendations
are described in the Appendix of this report.
33
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
Also, the audit recommendations (detailed below) take into consideration the findings of
the audit, the impact of risks and the company’s risk profile, well-known industry standards
(e.g., ISO, ENISA, ITIL, ISACA, etc.) as well as best practices and IT audit experience.
34
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
F2. The IT function of the company does not have a standard organizational structure and
does not employ the necessary staff with the required qualifications and skills to fulfill its
purpose.
F3. There are various companies and individuals that support the company’s IT applications
and website. However, there are no formal contracts with these individuals and companies
that support and handle all aspects of the company’s infrastructure and IT applications.
Audit result: The result of auditing the IT Organization area was successful. The details of
the IT Organization Controls that are currently implemented by the company, which were
reviewed and tested in the process of this IT audit, are included in Appendix X. Major
improvements are required to be implemented by management in order to mitigate the
effect of any risks of mismanaging the IT function.
The team must be properly staffed (manager, IT staff, users, etc.), supported by the relevant
bodies of the company (board of directors, senior executives, etc.), have the necessary financial
resources and a specific schedule and goals, receive instructions for immediate resolution of
problems that arise, and its work must be supported and monitored by top management.
35
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
36
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
Also, the audit recommendations (detailed below) take into consideration the findings of
the audit, the impact of risks and the company’s risk profile, well-known industry standards
(e.g., ISO, ENISA, ITIL, ISACA, etc.) as well as best practices and IT audit experience.
F2. The information systems and applications used today operate on a variety of technological
environments, have been developed in different time periods and are not complete.
F3. Communications between systems and applications are either non-existent or ad-hoc,
and in any case do not work as a whole.
F4. The network infrastructure and a central database, which could be the bridge of
communication between the applications are missing.
37
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
Audit result: The result of auditing the IT Strategy area was successful. The details of the
IT Strategic Controls that are currently implemented by the company, which were reviewed
and tested in the process of this IT audit, are included in Appendix X. Major improvements
are required to be implemented by management in order to mitigate the effect of any risks
of mismanagement and waste of strategic resources.
This strategy should include what the company needs in equipment, system software,
applications, database technology, etc., and based on the next period (2-5 years) as well as
the next decade.
38
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template
Part C. Appendix
This part contains the most detailed description of the IT auditor’s data and reasoning
as well as all audit results, findings and recommendations with financial and other data,
meeting minutes, resource and financial data tables, charts, test data, copies transactions,
copies of evidence, printouts of logs, etc.
Appendix 2: Further analysis of the audit findings and recommendations with financial and
other technical data (for each audit recommendation contained in Part B of the report) as
well as the supporting audit working notes of each auditor.
Appendix 4: Resources (names of auditors and audit hours, names of executives, names of
end users, names of external partners and names of companies that maintain equipment
and systems, etc.).
Appendix 12: Management Action Plan for each recommendation included in Part B of
the report with all relevant details, etc.
39
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools
Also, the auditor’s opinion or conclusion is problematic as it may assure management that
the audited entity, especially when it uses complex and very sophisticated IT systems that
there are no problems, etc., even though a larger sample would, more likely, show evidence
of frauds and other errors.
When problems, fraud, damage, errors, etc., are later identified and discovered, the management
and senior executives of the company tend to label the entire audit process as inefficient
and invalid, and as unable to add value to the business.
For these reasons, various professional organizations, scientists and companies have developed
the approach of continuous monitoring of controls and continuous auditing, more and more.
This approach is based on a variety of system testing techniques and the full use of Computer
Assisted Audit Techniques (CAATs) or Computer Aided Audit Tools or Computer Assisted
Audit Tools and Techniques (also sometimes referred to as CAATTs), etc.
40
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools
1. Test deck. This technique involves test transactions that contain normal and
abnormal data in order to activate the routine logic of the information systems
to prove that the system is working properly and processing the information
according to the designed controls.
2. Integrated test facility. This technique involves the continuous processing of a
complete set of business test transactions in parallel with the operation of the
normal productive operation of the system in order to audit the performance of
the specific information system.
3. Audit file triggering. This technique is used to activate an audit file with
specific business transactions where all operations are recorded during the
execution of specific audits in the data processing process.
4. Parallel simulation. The parallel simulation technique involves creating a set
of programs used by the IT Auditor to simulate the operating processes of the
information system and to compare the test results with the results of the real
information system that runs in production.
5. Program checking. This technique, with the operation of audit software,
analyzes the program code of the information system in production, and
records all operations, and logical interfaces for audit purposes.
6. Mapping of processing. The technique of mapping the processing steps is used
to document the logical interfaces that have not been tested in the specific
programs, to audit them through test transactions and to compare the results
with the expected ones.
41
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools
These special software packages (audit software) have the ability to assist and facilitate the
IT Auditor in performing the audits in a more efficient way, such as:
Some of these audit software packages that assist the IT Auditor in performing IT audits
with CAATs are described below.
42
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools
This list is presented on a purely indicative basis and without any commitment or obligation
on behalf of the author and the publisher about the validity or accuracy of the information
provided by the software suppliers and the potential use and applicability of these tools in
audit assignments by IT auditors.
It is strongly advised that one or more of these may be selected, reviewed and tested effectively
by each IT Audit entity before they are put into productive practice.
Step 1. Analyze and study the needs and requirements of using auditing tools for the specific
company.
Step 2. Contact other users of the specific tools and find out how the automated tools
support their IT audit work.
43
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools
Step 3. Understand the audit software by having a walk-through right from user creation,
grant of user access, configuration settings, data entry, query and reporting features.
Step 4. Decide what techniques of CAATs could be used in your IT audit environment.
Step 7. Ensure your audit people are trained by the selected software suppliers on the use
of these tools.
44
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 1. Audit Testing Methods
APPENDIX 1. AUDIT
TESTING METHODS
Overview: This Appendix describes five core audit testing methods that IT auditors use to
confirm the facts and answers that a business wants to attain during an IT audit.
Method 1. Inquiry
Inquiry entails asking for an explanation from the auditees relating to the IT control process
(e.g., Password Policy) or transactions of an IT Application System.
Simply, the IT auditor asks, with the use of an IT Audit Checklist or Questionnaire
appropriate management and staff about the controls in place as regards the audit area
audited (e.g., Data Center Controls) to determine some relevant information.
For example, an IT auditor may inquire of management if visitors to the Data Center are
escorted at all times if the auditor is not able to observe this activity while on site.
Method 2. Observation
Observation involves looking at the procedures that are being performed by the auditees
(e.g., IT staff). For example, an IT auditor observes how visitors enter a sensitive area, like
the computer room, or sees if passwords are written on gummed labels near a computer
screen, etc.
45
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 1. Audit Testing Methods
Method 4. Re-performance
Re-performance is the process of an IT auditor’s re-performing the IT control procedures
that were performed by the IT staff. For example, an IT Auditor may run a recovery test
to ensure the good operation of a backup procedure, or testing an application system in
an audit-specific test environment, etc.
46
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues
APPENDIX 2. IT AUDIT
AREAS AND ISSUES
Overview: This appendix contains a list of IT audit areas and issues to be reviewed and
selected when IT Auditors prepare an IT Audit Program for a specific IT audit. For more
details, assessment actions and questions, etc., see IT Audit Support Tools 1 (book 4 – IT
audit programs) and IT Audit Support Tools 2 (book 5 – IT Audit Questionnaires).
Area 2. IT STRATEGY
Issues: Strategy Process; Strategic Management and Plan; Electronic Data Interchange Strategy;
47
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues
Area 4. IT SECURITY
Issues: Management of Information Security; Information Security Policy, Procedures and
Organization; Hardware Security; Physical Access Security; Personnel Security; Operating
System, Network, Data Base Management and Application Systems Security; Network and
Operations Security; Electronic Crime and Sabotage; Network Management; Logical Access
Management; Mobile Computing and Hand-Held Devices; E-Commerce Management; IT
security intrusion response, etc.
48
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues
49
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology
APPENDIX 3. IT SYSTEMS
TESTING METHODOLOGY
Overview: This Appendix describes the steps of an IT Systems Testing Methodology and
four System Testing Forms used in this testing process.
1. Examination and review of all parts of the system and its output, deliverables, etc.
2. Analysis and assessment of the risks to examine and establish what functions of
the system should be tested more,
3. Establishment of a dedicated test environment,
4. Design of all tests,
5. Execution of tests which should include: Testing of system designs, testing
of code as it is developed, testing of integration when components are ready,
testing of interfaces, user acceptance testing, both ‘black box’ testing (testing
from an external perspective) and ‘white box’ testing (testing from an internal
perspective with access to source code and architecture documents), regression
analysis and testing, negative testing (how a system responds to incorrect or
inappropriate information) and testing of data conversion routines,
6. Review and examination of all results,
7. Documenting and filing the test process and results (see form in Annex 1),
8. Logging and resolving all issues and errors,
9. Reporting all test results, and
10. Filing all intermediate and final test data and results.
50
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology
Tester Name:
Hardware required:
Software required:
Inputs required:
Outputs expected:
Project Name:
Work Package:
Unit:
Tester:
Date:
Number:
Test Cases:
Set Up Instructions:
Start Instructions:
Proceed Instructions:
Performance Measures:
Stop Instructions:
Note: For each test case scenario the above should be recorded
51
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology
Project:
Tester:
Date:
Pass/Fail:
Approval:
Note: For each test case executed the above should be recorded
Error No:
Description:
Severity:
Note: For each test case executed the above should be recorded
52
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program
APPENDIX 4. IT APPLICATION
QUALITY AUDIT PROGRAM
Overview: This appendix describes the criteria and a way to assess the quality aspects of the
various phases of developing an application system. It is designed to be used in conjunction
with the ‘Applications Controls and End-User Computing Audit Program’ (book 5).
1.1. Criteria for the Analysis and Design phase of the Application: Compliance with
standards and procedures, Interoperability, Suitability, Data Security, and Quality of operational
control measures of the application.
1.2. Criteria for the Operation phase of the Application: Input/output Controls, Results
Accuracy, Ease of Operation, Response, Availability, User Assistance, Ease of Operation,
and Reliability of Operation.
1.3. Criteria for the Application Maintenance phase: Ease of debugging, Ease of making
changes, Test data quantity and quality and Maintenance Cost.
1.4. Criteria for the Application Documentation phase: User Guide, Functional
Documentation, and Technical Documentation.
53
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program
54
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program
55
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program
56
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program
7. Auditor’s Comments
IT auditors record a summary of what they found during the above assessment process of
the specific application evaluated.
Comments: ………………………………………………………
57
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 5. ITAF Brief Description
ITAF provides a single source through which IT audit and assurance professionals can seek
guidance, research policies and procedures, obtain audit and assurance programs, and develop
effective reports. While ITAF incorporates existing ISACA standards and guidance, it has
been designed to be a living document. As new guidance is developed and issued, it will
be indexed within the framework. The scope of the guidance provided in ITAF has been
incorporated into the latest thinking offered in COBIT 5.
58
APPENDIX 6. DATA PROTECTION AND
IT AUDIT EXECUTION TOOLS - BOOK 3 IT SECURITY CHECKLIST
Area B: Methodologies
1. Integrating Security and Privacy in Information Systems: ____
2. Assessing Information Technology risks: ____
Area C: Plans
1. Information security strategy plan: ____
2. Business Continuity Critical Functions Plan: ____
3. Civil Threats Plan: ____
4. Corporate Data Protection and IT Security Plan: ____
5. Personal Data Privacy Protection Program: ____
6. Data Protection Awareness and Education Plan: ____
7. Data Subjects Claims and Complaints Response Plan: ____
59
APPENDIX 6. DATA PROTECTION AND
IT AUDIT EXECUTION TOOLS - BOOK 3 IT SECURITY CHECKLIST
Area E: Software
1. Data loss prevention (DLP) software: ____
2. Software tools for aggregation, data masking, pseudonymisation, or
anonymization: ____
3. Encryption technology: ____
4. Intrusion Detection and Prevention System: ____
60
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 7. Visual Audit Tools
VAT 1. SIPOC
SIPOC is an acronym for: Supplier; Input; Process; Output; and Customer.
The purpose of this visual tool (SIPOC diagram) is: To identify the overall processes in the
work system; To provide an overall perspective and support the definition, structuring, and
scoping of complex work systems; and highlight possible problems or weaknesses in the
processes of the work system.
A network flow diagram indicates the routes over which data travels, the internal and external
nodes on which it is stored or processed, and the purpose of those nodes. Network flow
diagrams are essential to understanding the environment that hosts sensitive data as well as
risk mitigation and the enforcement of information security policies.
61
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 7. Visual Audit Tools
Data flow diagrams can be divided into logical and physical. The logical data flow diagram
describes flow of data through a system to perform certain functionality of a business. The
physical data flow diagram describes the implementation of the logical data flow.
VAT 5. Flowchart
Flowcharts may be used for diagnosing a malfunction or to troubleshoot problems. Business
organizations also use flowcharts for process improvement. Breaking down processes into
smaller steps, then examining them closely can reveal areas of both operating inefficiency
and opportunity for improvement.
62
IT AUDIT EXECUTION TOOLS - BOOK 3 End Notes
END NOTES
https://www.isaca.org/bookstore/audit-control-and-security-essentials/witaf4
https://www.iaasb.org/projects/auditor-reporting
https://www.ifac.org/system/files/downloads/a036-2010-iaasb-handbook-isa-700.pdf
www.aicpa.org
https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101
63
IT AUDIT EXECUTION TOOLS - BOOK 3 Chapter 5
CHAPTER 5
Note 1. Benford’s law, also called the Newcomb–Benford law, the law of anomalous numbers,
or the first-digit law, is an observation about the frequency distribution of leading digits in
many real-life sets of numerical data. The law states that in many naturally occurring collections
of numbers, the leading digit is likely to be small. In sets that obey the law, the number
1 appears as the leading significant digit about 30 % of the time, while 9 appears as the
leading significant digit less than 5 % of the time. If the digits were distributed uniformly,
they would each occur about 11.1 % of the time. Benford’s law also makes predictions about
the distribution of second digits, third digits, digit combinations, and so on.
64
IT AUDIT EXECUTION TOOLS - BOOK 3 Bibliography
BIBLIOGRAPHY
For risk assessment my book is: ‘Assessing Information Risks: The GDPR Employees’ Guide -
Part IV’, at: https://bookboon.com/en/assessing-information-risks-ebook)
https://www.researchgate.net/profile/John-Kyriazoglou-2/publications
DISCLAIMER
The material, concepts, ideas, plans, policies, procedures, forms, methods, tools, etc. presented,
described and analyzed in all chapters and appendices, are for educational and training
purposes only. These may be used only, possibly, as an indicative base set, and should be
customized by each organization, after careful and considerable thought as to the needs and
requirements of each organization, taking into effect the implications and aspects of the
legal, national, religious, philosophical, cultural and social environments, and expectations,
within which each organization operates and exists.
Every possible effort has been made to ensure that the information contained in this book
is accurate at the time of going to press, and the publishers and the author cannot accept
responsibility for any errors or omissions, however caused. No responsibility for loss or
damage occasioned to any person acting, or refraining from action, as a result of the material
in this publication can be accepted by the publisher or the author.
65