John Kyriazoglou

IT Audit Execution Tools

- Book 3
Tools to Support Effective IT Audit
Projects
JOHN KYRIAZOGLOU

IT AUDIT EXECUTION
TOOLS - BOOK 3
TOOLS TO SUPPORT
EFFECTIVE IT AUDIT PROJECTS

2
IT Audit Execution Tools - Book 3: Tools to Support Effective IT Audit Projects
1st edition
© 2021 John Kyriazoglou & bookboon.com
ISBN 978-87-403-3878-2

3
IT AUDIT EXECUTION TOOLS - BOOK 3 Contents

CONTENTS
Dedication 6

Overview 7

1 IT Audit Program 8
1.1 Audit Program: General Definition 8
1.2 IT Audit Program 8
1.3 Example of an IT Audit Program 9

2 IT Audit Checklist 17
2.1 Description 17
2.2 How to create an IT Audit Checklist 17
2.3 IT Systems Development Checklist Example 18

3 IT Audit Questionnaire 25
3.1 Brief description 25
3.2 IT Audit Questionnaire Evaluation Method 25
3.3 Example: IT Strategy Audit Questionnaire 26
3.4 Evaluation of Answers 30

4 IT Audit Report Template 31

4.1 IT Audit Report Description 31
4.2 IT Audit Report Example 32

5 Automated IT Audit Tools 40

5.1 Problems of the Traditional Way of Conducting IT Audits 40
5.2 System testing techniques 41
5.3 Automated Audit Software 41
5.4 List of Automated Audit Software Packages 43
5.5 Methodology for Implementing Automated Audit Software Packages 43

Appendix 1. Audit Testing Methods 45

Appendix 2. IT Audit Areas and Issues 47

Appendix 3. IT Systems Testing Methodology 50

Appendix 4. IT Application Quality Audit Program 53

Appendix 5. ITAF Brief Description 58

Appendix 6. Data Protection and IT Security Checklist 59

Appendix 7. Visual Audit Tools 61

4
IT AUDIT EXECUTION TOOLS - BOOK 3 Contents

End Notes 63

Chapter 5 64

Bibliography 65

5
IT AUDIT EXECUTION TOOLS - BOOK 3 Dedication

DEDICATION
This book is dedicated to my closest family members that support me with all their hearts
and souls: Sandy, Miranda, Chris and Dimitri and above all, Melina, our most precious
gem and princess of our life on this planet.

6
IT AUDIT EXECUTION TOOLS - BOOK 3 Overview

OVERVIEW
Overview: This book (third in the series of 5 books) describes a set of IT Audit Execution
Tools that support IT Auditing (e.g., IT Audit Programs, IT Audit Checklists, IT Audit
Questionnaires, IT Audit Report, Audit Testing Methods, etc.), how to create IT Audit
Programs, IT Audit Checklists and IT Audit Questionnaires, how to evaluate audit answers,
the problems of traditional way of IT auditing, system testing practices, Automated Audit
Software Packages (CAATs), Visual Audit Tools, etc.

These tools are designed to carry out IT Audit Projects and support the audit process,
methods, techniques and controls identified in the other 4 books of this series.

This book is complemented by the following books in this series:

Book 1: ‘IT Audit Guide’
Book 2: ‘IT Governance Controls’
Book 4: ‘IT Audit Support Tools 1’
Book 5: ‘IT Audit Support Tools 2’

7
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

1 IT AUDIT PROGRAM
Overview: This chapter defines an IT Audit Program, describes a set of tasks to prepare
it (Part A: Preparation of audit activities; Part B: Execution of audit tasks; and Part C:
Reporting audit findings and results), and presents an example of an IT Audit Program
that may be used to examine the effectiveness of the IT function of ‘ABCD SA’, a fictitious
private company.

1.1 AUDIT PROGRAM: GENERAL DEFINITION

An audit program, in general terms, is a set of instructions that the auditor (internal or
external) and its team members need to follow for the proper execution of the audit.

After preparing an audit plan, the auditor allocates the work and prepares a program which
contains steps that the audit team needs to follow while conducting an audit.

Thus, an auditor prepares a program that contains detailed information about various steps
and audit procedures to be followed by the audit.

The main objective of an audit program is to create a framework that is detailed enough
for anyone in the company or outside, to understand what assessments and examinations
have been completed, what conclusions have been reached and what the reasoning is behind
each conclusion.

1.2 IT AUDIT PROGRAM

The IT Audit Program is defined by a set of policies and procedures that provide guidance
that can be used by auditors to perform IT audits.

The contents of an audit program are (indicative) the following:

a. Instructions for the collection and examination of evidence, transactions, data,

forms, policies, procedures, etc.;
b. Review of the program code,
c. Testing of information systems with test data, internal processes of the auditor
without the participation of the auditee,
d. Evaluation techniques, etc.

8
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

The preparation of each IT Audit Program follows the steps and processes mentioned in
Chapter 4 ‘IT Audit Methodology’ (of Book 1).

An illustrative example follows.

1.3 EXAMPLE OF AN IT AUDIT PROGRAM

Purpose: The purpose of this program is to examine the effectiveness of the IT function
of ‘ABCD SA’, a fictitious private company.

Contents: This audit program includes the following parts: Part A (Preparation of audit
activities); Part B (Execution of audit tasks); and Part C (Reporting audit findings and results).

Part A: Preparation of audit activities

Task A.1. Documentation Collection

The auditor will request and collect IT related documentation, such as:

1. Manual of corporate policies and procedures,

2. Networking Plans of the Data Center,
3. Telecommunication Network Plan,
4. Data Network Diagram,
5. IT Policies and Procedures Manual,
6. Information systems development methodology,
7. IT Assets (hardware, software) Inventory,
8. Information Systems User Manuals,
9. Technical (Programming) Manuals,
10. Software Licenses,
11. Application Changes Log,
12. Equipment and Software Maintenance File,
13. Applications Testing File,
14. IT Projects Folders,
15. Backups and
16. Audit Trail Files.

9
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Task A.2. Documentation Review. Review the above IT Governance related documents with
the auditees to get a full understanding of how these are applied in their every-day practice.

Task A.3. Select Audit Testing Methods. Select one or more testing methods (i.e., Inquiry,
Observation, Inspection of Evidence, Re-performance, CAATs, as per Appendix 1: Audit
Testing Methods) to perform various compliance or substantive tests as regards these
documents and controls.

Task A.4. Risk Analysis

Action 1. Review whether the following usual IT risks (ITR) exist at the time of the audit:

ITR 1. No business plan,

ITR 2. Lack of IT strategy,
ITR 3. No IT budget,
ITR 4. Non-implementation of corporate security policies and procedures,
ITR 5. Lack of information security policies and procedures,
ITR 6. Partial or no segregation of IT duties,
ITR 7. Inability to predict technological (IT and Communications) trends,
ITR 8. Incomplete support of IT systems and equipment,
ITR 9. Insufficient contracts for supply, maintenance and services of external IT partners,
ITR 10. Insufficient monitoring of IT controls and reporting to top management,
ITR 11. Insufficient documentation of information systems,
ITR 12. Partial implementation of IT policies, procedures and standards,
ITR 13. Partial implementation of approval procedures for equipment and software purchases,
ITR 14. No IT emergency or Disaster Recovery plan,
ITR 15. No audit trail on IT Application systems, etc.

Action 2. Interview the appropriate staff to assess if the above risks have been identified
and whether mitigation measures have been implemented.

Task A.5. Completion: Selection of IT audit areas and issues (as per Appendix 2. IT
Audit Areas and Issues) to be audited, and preparation and completion of the IT audit
questionnaires and IT audit checklists that will be used for this audit.

10
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Part B: Execution of audit tasks

Task B.1. Security risk assessment

Perform a risk assessment (see my book in Bibliography) to ensure, as a minimum, that
proper security controls have been implemented for the usual IT-related sensitive assets,
such as:

1. Data Center Facility.

2. Computers, servers and laptops.
3. Software (operating system, data base, application, network, etc.).
4. Web sites and E-Mail servers and applications.
5. Corporate Data (personal, financial, sales, customer, employee, production,
research and development, etc.).
6. Routers and networking equipment.
7. Printers and Fax machines.
8. Telephone systems (regular, VoIP phones, Digital PBXs, etc.).
9. Cameras, digital or analog, with company-sensitive photographs.
10. Company smartphones/ PDAs, etc.
11. Logs.
12. Access points (external to the building, internal to the main offices, entry to
the critical offices (e.g., Managing Director’s, Finance Director’s, etc.), computer
room, cabling rooms, etc.

IT Auditor Comments: ___________________________

Task B.2. IT Leadership/Management

1. Review a sample CEO/Board/Senior Management decisions or memos related
to IT to ensure that they are clear, well substantiated, and unambiguous.
2. Review IT performance measures to ensure that they cover both business and
IT systems.
3. Review formal IT project status reports.

IT Auditor Comments: ___________________________

11
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Task B.3. IT needs and requirements

1. Review documents to ensure that new business requirements are identified and
analyzed according to the company’s requirements management process.
2. Review approved or rejected requirements to ensure that these are in accordance
with accepted company operating principles.
3. Interview management and other critical staff responsible for approving IT
projects to assess their effectiveness.

IT Auditor Comments: ___________________________

Task B.4. IT Asset Investments

1. Interview management to determine the company’s IT investment management
procedures.
2. Review IT portfolio to assess whether IT projects have been prioritized
according to approved criteria.
3. Review IT status reports to see they provide cost and schedule tracking.

IT Auditor Comments: ___________________________

Task B.5. IT Compliance and IT Risk Assessment

1. Review corporate policies and procedures to assess risk assessment and
compliance.
2. Review IT policies and procedures to assess IT risk assessment and compliance.
The material in Book 2 ‘IT Governance Controls’ may be of value and should
be considered.
3. Interview management to determine who is responsible for ensuring compliance
to the policies and associated procedures.
4. Review documents to determine whether IT risks are part of the overall
governance risk and compliance (GRC) framework.

IT Auditor Comments: ___________________________

12
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Task B.6. IT Structure

1. Review organizational charts to determine that the IT organization is positioned
at a strategic level (for example, there is a CIO who reports to or is a member
of the Steering Committee).
2. Review the IT organization chart to determine that it is aligned to support
the business (has a help desk, data base managers, maintenance personnel or
contactors who help and facilitate IT operations, etc.).

IT Auditor Comments: ___________________________

Task B.7. IT Policies and Procedures

1. Review HR policies on hiring and termination security, document retention,
contracting and/ or outsourcing, etc.
2. Review IT policies, IT inventory (hardware, software, devices, etc.) and Personal
Data inventory to ensure they are approved and current.
3. Review IT Assets disposal to ensure compliance with corporate records
retention policy.

IT Auditor Comments: ___________________________

Task B.8. IT Change Management

Audit/Review Actions (AR)

1. Review the change management policy document to verify whether procedures
for initiation, review and approval of changes are followed.
2. Ensure that the access to production source library (e.g., Source code,
configurations) is limited to authorized IT staff only.
3. Ensure testing was done prior to introduction into production environment.

IT Auditor Comments: ___________________________

13
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Task B.9. Systems Development Methodology

1. Review IT user needs and requirements report to ensure users, stakeholders, or
other relevant users are involved in identifying requirements.
2. Ensure effective use of the company’s Systems Development Methodology by
examining one or 2 critical application systems development projects.
3. Review sample requirements to ensure that there is an initial review, and that
similar or duplicate requirements are grouped and that business managers are
included in the process, as needed.

IT Auditor Comments: ___________________________

Task B.10. Data Center Operations

1. Review the physical and environmental controls implemented at the Data
Center (e.g., access control system, CCTV, security guards, fire extinguishers
and fire-suppression systems, fire alarms, etc.).
2. Assess the company’s primary physical security and environmental controls and
examine if they match the current security and environmental risks.
3. Review the IT problem management and incident response policy to find
whether it contains all relevant appropriate stages (e.g., preparation, detection
and analysis, containment and eradication, post-incident activity, responsibility,
scope and reporting requirements etc.).

IT Auditor Comments: ___________________________

Task B.11. IT Security Audit Program

1. Check the IT Strategy to ensure it adequately highlights the critical role of
Information Security.
2. Review coverage of the IT security plan and check whether it considers IT
tactical plans, data classification, technology standards, security and control
policies and risk management, roles and responsibilities, etc.
3. Check whether Intrusion Detection System configurations and logs are analyzed
by appropriate personnel to ensure security of information from hacking attacks
and malware intrusions.

IT Auditor Comments: ___________________________

14
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

Task B.12. Application System Operation

1. Select one or more critical application systems to audit.
2. Ensure a unique, specific and non-production environment is established for IT
audit tests.
3. Select one or more critical application systems to audit.
4. Perform the following assessment actions for each application system.
4.1. Review the source code to ensure that the defined edits are included and are
coded properly to achieve the desired result.
4.2. Create and run test transactions to test edits of control significance.

You may use Appendix 3 ‘IT Systems Testing Methodology’ to carry out your tests and
record the results.

4.3. Determine that appropriate input controls are used to ensure accuracy and completeness
of data.

4.4. Review test results performed by the IT auditor tests.

15
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Program

4.5. Determine that appropriate output controls are used to ensure accuracy, completeness,
timeliness, and proper distribution of data processed.

4.6. Assess the quality of the IT Application audited. For more details, see ‘Appendix 4:
IT Application Quality Audit Program’.

4.7. Use visual tools (Appendix 7) to understand better the IT Application System you will
be auditing, detect gaps and anomalies, and create tests, as required.

IT Auditor Comments: ___________________________

For more assessment actions, also see the following support tools:
1. IT Audit Programs in Book 4 (‘IT Audit Support Tools 1’), and
2. IT Audit Questionnaires in Book 5 (‘IT Audit Support Tools 2’).

Part C: Reporting audit findings and results

Task 1. Preparation of the IT audit report.
Task 2. Overview of the IT audit report with the auditees.
Task 3. Preparation of the final IT audit report.
Task 4. Archiving all the material of the IT audit assignment in a proper file.

The IT audit report contains three sections, such as:

1. Executive Summary,
2. Analytical Results,
3. Audit Findings and Recommendations, and
4. An appendix with a more detailed description of the data and reasoning of the
IT auditor as well as all the results, findings and proposals of the audit with
financial and other data, etc.

A detailed description of the contents of an IT audit report is provided in Chapter 4 ‘IT

Audit Report’.

16
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

2 IT AUDIT CHECKLIST
Overview: This chapter describes how to create an IT Audit Checklist and presents an
example of an ‘IT System Development Checklist’.

2.1 DESCRIPTION
A checklist is a type of job aid used to reduce failure by compensating for potential limits of
human memory and attention. It helps to ensure consistency and completeness in carrying out
a task1. A basic example is the ‘to do list’. A more advanced checklist would be a schedule,
which lays out tasks to be done according to time of day or other factors. A primary task
in checklist is documentation of the task and auditing against the documentation.

An IT Audit Checklist often uncovers specific deficiencies that cause major problems for an
IT function (e.g., IT Operations) or IT Audit Area (e.g., IT Personnel Management). Once
you walk through the checklist, you can clearly see areas where processes and procedures
are lacking or where they might be absent altogether.

With the constantly changing IT technology, your business could be at risk for a variety of
reasons. Plus, there is the reality that hackers and cyber-security threats are also constantly
evolving. When you follow through with an IT Audit Checklist, you are proactively addressing
the reality of today’s IT world and doing your part to protect your IT investments, systems,
applications as well as your business.

2.2 HOW TO CREATE AN IT AUDIT CHECKLIST

You can use the following method to create an IT Audit Checklist for an area or issue (e.g.,
Data Center Operations) that concerns you:

Step 1. Locate the previous IT audit reports for your review.

Step 2. Familiarize yourself with the rules, regulations and standards for the area to be
audited, inspected, assessed, etc.

Step 3. Review the application of the methodologies, policies, rules, regulations and standards
for the area you will be auditing by doing the following:

17
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

3.1. Identify the key concepts, phrases, words and requirements of these rules, regulations
and standards.

3.2. Write phrases or questions to determine if the requirements have been met.

Step 4. Locate the corrective actions that have been done during your audit process.

Step 5. Determine what other policies, procedures, work instructions, flowcharts, etc. apply
to this process.

Step 6. Define the support processes and how these processes interact with the process to
be audited. Support processes may include training, auditing of documents and files, and
resource management. etc.

Step 7. Prepare a series of items or issues as a checklist.

An illustrative example follows.

2.3 IT SYSTEMS DEVELOPMENT CHECKLIST EXAMPLE

Application Title: The IT Application System in the Company Payroll Processing System:

Description: This checklist is based on the classic IT Application Systems Development

Model, the so-called ‘The Waterfall model’, which contains 5 stages:

Stage 1. IT Needs Specification,

Stage 2. IT Application Systems Analysis and Design,
Stage 3. IT Application Systems Development,
Stage 4. IT Application Systems Implementation, and
Stage 5. IT Application Systems Evaluation.

The replies in each item below are only documented to give you an idea how to use a
checklist like this.

Stage 1. IT Needs Specification Checklist

1.1. Feasibility Study Completion: Yes

18
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

1.2. Feasibility Study Contents: Yes

• Executive Summary
• Problem Description
• Suggested Solutions
• Feasibility Elements
• Development Plan of the proposed Information System
• Recommendations to Management
• Appendix (Minutes of meetings, list of documentation and procedures examined,
technical and financial details, etc.).

Remarks: Feasibility study completed satisfactorily

1.3. User Requirements Documentation: Yes

1.4. User Signoff: Yes

1.5. Senior Management Approval: No

Remarks: Senior management is not very aware of this project

Stage 2. IT Application Systems Analysis and Design Checklist

2.1. General design of IT Application System: Yes

2.2. Detail design of IT Application System: No

2.3. Systems Analysis and Design Completion: Yes

2.4. Systems Analysis and Design Documentation Contents:

• Executive Summary,
• Summary of Analysis and Design
• Requirements and Needs of Users,
• Description of a future ‘logical’ system,
• Description of a future ‘physical’ system,
• System flowcharts,
• Data flow diagrams,
• Entity-relationship diagrams,

19
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

• Process narratives
• System Restrictions, and
• Appendix (Minutes of meetings, program development budget, list of supporting
documentation, etc.).

Remarks: This documentation needs improvement

2.5. User Signoff: No

2.6. Senior Management Approval: No

Remarks: Users and management have not approved this stage

Stage 3. IT Application Systems Development Checklist

3.1. Completion of developing computer programs: Yes

3.2. Computer software code based on written specifications: No

3.3. Testing of computer programs and system completed: Yes

3.4. Unique test environment with test data: Yes

3.5. Testing plan: No

3.6. Testing strategy: No

3.7. Tests for each program, sub-system and whole system: Yes

3.8. Documentation of all tests filed: Yes

3.9. Users participate in all tests: No

3.10. Application documentation contents:

• Purpose and diagrams for each program of the information system (e.g., program
flowcharts, decision tables, structure charts, etc.)
• Printouts of source code
• Descriptions of data entering and exiting the system

20
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

• File descriptions (inputs, master files, data bases and outputs)

• Test data and results
• History of changes and related approvals.
• Test data and test data results
• History of changes and approvals.

3.11. User Signoff: No

3.12. Senior Management Approval: No

Remarks: Documentation needs improvement. Users and management need to become

aware and approve this stage.

Stage 4. IT Application Systems Implementation Checklist

4.1. Application system installed (transferred to production status): Yes

4.2. Acceptance of end users: Yes

4.3. Data loaded on systems by migration plan: Yes

4.4. Operational procedures (security, backup, recovery, performance monitoring, data base
space management, etc.), tested before production status: Yes

4.5. Senior Management Approval: No

Remarks: Management must be informed and approve this stage

4.6. System Operations Procedures Documentation:

• Instructions for completing all forms for entering data into the system (input
source, form and receiving instructions)
• Instructions for transmitting reports and other digital media to other systems or sites
• Technical operating instructions for configuring and executing system workflows
in the computer system
• Instructions for performing backup, recovery and re-start procedures
• Instructions for correcting errors, etc.

Remarks: Documentation needs improvements

21
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

4.7. User Guide (Documentation): ____

• Detailed description for each operation of the application

• Procedures for completing forms, screens and reports
• Description of the system files
• Description of the control measures of the processed data
• Instructions for correcting errors, etc.

4.8. User Signoff: No

4.9. Senior Management Approval: No

Remarks: Documentation needs improvement. Users and management need to become

aware and approve this stage.

4.7. Change Management Procedure: No

• Keeping a log of changes

• Testing of changes
• Executing a backup before the transfer of the changed code into production
• Update all documentation documents of the information system with the new
changes.

4.8. User Signoff: No

4.9. Senior Management Approval: No

Remarks: Procedure needs improvement. Users and management need to become aware
and approve this stage.

Stage 5. IT Application Systems Evaluation Checklist

5.1. Post-implementation review process: No
5.2. IT Application Project Needs Assessment: No

• Reasons for the project

• Business requirements
• Feasibility study or plan met business requirements.
• Scope of the project
• 4.Costs and benefits of the project
• User requirements (software, hardware, communications, operating environment)
• Other pertinent technical and legal constraints.

22
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

Remarks: A post-implementation review needs to be executed

5.3. IT Application Project Management Assessment: No

• Authority of IT project team manager

• End user participation
• Levels of expertise in the business and technical areas
• Participation of internal audit, legal and other critical areas, etc.
• IT project plan followed
• Deviations documented
• Project successful (on time, within budget).

Remarks: An IT Application Project Management Assessment needs to be executed

5.5. IT Quality Assessment: No

• System response (time) satisfactory

• Accuracy in recording transactions
• User-friendly
• Clear reports
• Correct updating of all computerized files

Remarks: An IT Application Quality Assessment needs to be executed

5.5. IT System Testing Assessment: No

• System fully tested prior to implementation

• Completeness of the test plan
• Critical functions testing
• Error testing
• Volume and stress testing
• Security testing
• Testing interfaces with other systems
• Database and network communications testing
• End-user involvement in acceptance tests
• Documentation of tests
• Resolution of all problems identified during the testing process.

Remarks: An IT Application System Testing Assessment needs to be executed

23
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Checklist

5.6. IT System Documentation Assessment: No

• Operations and user manuals ready prior to implementation

• Complete instructions on operating the system
• All operating staff have access to this manual
• Information contained makes the system easier to run.

Remarks: An IT Application Documentation Assessment needs to be executed

IT Audit Checklists are used to support the assessment actions of the IT Audit Programs.

Examples of IT Audit Checklists are included in the IT Audit Programs in Book 4.

For more examples, see Appendix 6: Data Protection and IT Security Checklist.

24
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

3 IT AUDIT QUESTIONNAIRE
Overview: This chapter describes an IT Audit Questionnaire Evaluation Method and an
example of a standard IT Strategy Audit Questionnaire.

3.1 BRIEF DESCRIPTION

The IT Audit Questionnaire provides a set of critical questions that can be used by auditors
during an IT audit to record the auditee’s views on issues and problems in the area being
audited.

3.2 IT AUDIT QUESTIONNAIRE EVALUATION METHOD

For each question referred to in the IT Audit Questionnaire described below, the answer
should be noted on the basis of the following rationale:

Grade 1 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is specified by an industry or company standard, is approved
and monitored by management, ratified by the board, known to staff and applied always
effectively. This is the perfect situation.

Grade 2 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is approved and monitored by management, known to staff and
applied effectively most of the time. This is a somewhat perfect situation.

Grade 3 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to staff and applied effectively in very many cases but
not monitored by management. This is the middle-case situation.

Grade 4 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to some staff and applied sometimes, depending on the
person involved, but not monitored by management. This is the next to the worst situation.

Grade 5 = The answer to this specific question refers to a control (e.g., vision statement,
security policy, etc.) which is known to very few staff and applied rarely or not at all and
not monitored by management. This is the worst situation.

25
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

Evaluation of answers
There are a number of questions that cover specific topics. The correct and effective answers to
these questions can be evaluated as follows:

Step 1: Summarize all grades per question, i.e., how many “1”, how many “2”, etc.
Step 2: Summarize all “NO” answers and give them a grade of “5” = N.
Step 3: Total sum of grades “1”, “2”, “3”, “4”, and “5”.
Step 4: Multiply the grades as follows:

• Number of “1” answers X 100 = S1

• Number of “2” answers X 80 = S2
• Number of “3” answers X 40 = S3
• Number of “4” answers X 10 = S4
• Number of “5” answers X 5 = S5.

Step 5: Sum of N + S1 + S2 + S3 + S4 + S5 = (S6)

Step 6: Divide (S6) by the number of questions = A
Step 7: Strategy Readiness or Compliance Indicator = A % (scale 1 to 100)

1. This result (A) shows the degree of readiness of the company for the specific IT
issue (i.e., IT strategy), on a scale of 1 to 100.
2. The closer the result is to 100, the better IT strategy will work. The further
away it is, the more IT strategy needs to be improved.
3. For example a result > 70% means that the business has an IT strategy but
needs further improvements.
4. A result of < 60% indicates a lot of improvement.
5. A result of < 40% requires radical improvement, and so on.

An illustrative example of questions and evaluation follows.

3.3 EXAMPLE: IT STRATEGY AUDIT QUESTIONNAIRE

Purpose
The purpose of this questionnaire (IT Strategy Audit Questionnaire Example) is to assist
and support the effort to diagnose and determine the degree of readiness of the specific
company for IT strategic issues. For each of the following questions, the answer should be
noted, as per above paragraph (3.2. IT Audit Questionnaire Evaluation Method).

26
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

Part A: IT Vision, Mission and Strategy

Q1. Are there a corporate vision, mission and overall business strategy implemented and
to what level of management?
Answer: Yes: No: X ____GGrade: 0 ____G

Q2. Are there business plans and objectives at the overall level, level of operation, level of
service, level of management / unit?
Answer: Yes: X No: ____GGrade: 3 ____G

Q3. Are there an IT vision, mission and overall IT business strategy implemented and to
what level of effectiveness?
Answer: Yes: X No: ____G Grade: 5 ____G

Q4. Are there budget, priorities, and other IT resources?

Answer: Yes: X No: ____GGrade: 3 ____G

Q5. Is there a communication system used to inform all parties of the strategies, policies,
goals, and customer service issues and concerns?
Answer: Yes: X No: ____GGrade: 1 ____G

Q6. Is the vision, mission and business strategy of the company understood and supported
by all levels of the organization?

6.1. Staff?
Answer: Yes: X No: ____GGrade: 3 ____G

6.2. Suppliers?
Answer: Yes: X No: ____GGrade: 3 ____G

6.3. External Parties?

Answer: Yes: X No: ____GGrade: 4 ____G

6.4. Customers?
Answer: Yes: X No: ____GGrade: 4 ____G

6.5. Management?
Answer: Yes: X No: ____GGrade: 2 ____G

6.6. Board of Directors?

Answer: Yes: X No: ____GGrade: 5 ____G

27
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

Q7. Is the IT vision, mission and IT strategy of the company understood and supported
by all levels of the organization?

7.1. Staff?
Answer: Yes: X No: ____GGrade: 1 ____G

7.2. Suppliers?
Answer: Yes: X No: ____GGrade: 5 ____G

7.3. External Parties?

Answer: Yes: X No: ____GGrade: 3 ____G

7.4. Customers?
Answer: Yes: X No: ____GGrade: 4 ____G

7.5. Management?
Answer: Yes: X No: ____GGrade: 3 ____G

7.6. Board of Directors?

Answer: Yes: X No: ____GGrade: 3 ____G

Q8. Is there a quality system in the company?

Answer: Yes: X No: ____GGrade: 3 ____G

Q9. Is there a risk management system in place?

Answer: Yes: X No: ____GGrade: 4 ____G

Q10. Is IT strategy aligned well with corporate strategy?

Answer: Yes: X No: ____GGrade: 2 ____G

Auditor Comments: The IT vision and mission need to be communicated better.

Part B: Support and Management Commitment

Q1. Is there support and a clear commitment from the board, its members and senior
management to IT?
Answer: Yes: X No: ____GGrade: 5 ____G

28
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

Q2. Have the reasons for the required IT systems and operations been clearly and
comprehensibly identified and approved, as required?
Answer: Yes: X No: ____GGrade: 2 ____G

Q3. Is the IT vision, mission and objectives equally acceptable to all management and users?
Answer: Yes: X No: ____GGrade: 4 ____G

Q4. Do end-user managers have full understanding and commitment to the company’s
vision, mission and goals and do they believe they have the full support of leadership?
Answer: Yes: X No: ____GGrade: 3 ____G

Q5. Do end-user managers have full understanding and commitment to IT’s vision, mission
and goals and do they believe they have the full support of IT?
Answer: Yes: X No: ____GGrade: 2 ____G

Q6. Do IT staff have a full understanding and commitment to the vision, mission and
goals of IT?
Answer: Yes: X No: ____GGrade: 1 ____G

Q7. Do IT staff have the full support of management in issues and difficulties of implementing
IT systems?
Answer: Yes: X No: ____GGrade: 5 ____G

Q8. Do IT staff have the required theoretical and practical training, qualifications and skills
to deal with and effectively solve the implementation issues of IT systems?
Answer: Yes: No: X ____GGrade: 0 ____G

Q9. Is there a full understanding of the time, effort, success factors and risks of implementing
an IT system?
Answer: Yes: X No: ____GGrade: 2 ____G

Q10. Are there approved financial resources for the design, maintenance and improvement
of IT systems?
Answer: Yes: X No: ____GGrade: 1 ____G

Q11. Is there an approved methodology and development standards for the design, operation,
maintenance and improvement of IT systems?
Answer: Yes: X No: ____GGrade: 5 ____G

29
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Questionnaire

Q12. Are external partners providing IT services and support managed well?
Answer: Yes: X No: ____GGrade: 2 ____G

Auditor Comments: Better top management support of the IT mission is required.

3.4 EVALUATION OF ANSWERS

There are 32 questions that cover the specific topics, i.e.: Vision, Mission and Strategy (20
questions) and Management Support and Commitment (12 questions). The correct and
effective answers to these questions can be evaluated according to the above method (see
paragraph 3.2. ‘IT Audit Questionnaire Evaluation Method’).

Step 1: Summarize all grades per question, i.e., how many “1”, how many “2”, etc.

Step 2: Summarize all “NO” answers and give them a grade of “5” = N.

Step 3: Total sum of grades “1”, “2”, “3”, “4”, and “5”.

Step 4: Multiply the grades as follows:

• Number of “1” answers 2X 100 = S1=100

• Number of “2” answers 6X 80 = S2=480
• Number of “3” answers 9X 40 = S3=360
• Number of “4” answers 5X 10 = S4=500
• Number of “5” answers 6X 5 = S5=30.

Step 5: Sum of N + S1 + S2 + S3 + S4 + S5 = (S6) =1475

Step 6: Divide (S6) by the number of questions (1475/32) = A = 46.09

Step 7: Strategy Readiness or Compliance Indicator = A = 46.09 % (scale 1 to 100)

Auditor remarks: As described above (see paragraph 3.2. ‘IT Audit Questionnaire Evaluation
Method’) a compliance indicator of 46.09 % (100% is perfect) indicates that the IT strategy
issue of the specific company requires a lot of improvement.

30
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

4 IT AUDIT REPORT TEMPLATE

Overview: This chapter describes an IT Audit Report Template and how it is used in an
IT audit report example (‘Audit of the IT organization and operations procedures of ABDX
SA’, a fictitious entity).

4.1 IT AUDIT REPORT DESCRIPTION

The main purpose of the IT Audit Report is to inform all stakeholders (management, audit
committee, IT executives, end users, etc.) about the results and findings of this audit.

It also includes a set of recommendations for each audit finding to improve the situation
documented during the audit as well as other elements that complement the audit.

This report template is based on my IT Auditing and Consulting experience in various

settings and contains (indicatively1) the following:

Part A. Executive Summary

This part includes: Overview of Report, Framework, Schedule, Audit Objectives, Audit
Methodology, Audit Scope, Summary of Results, Findings and Proposals and Compliance
with Operating Standards.

Part B. Detailed Results, Findings and IT Audit Recommendations

This part contains a detailed description of all test results, findings and recommendations.
For example, for each recommendation, the following elements are included: Brief description
of the recommendation (e.g., ‘Creating an Implementation Team’), Description of the IT
Audit Area, IT Audit Outcomes and Findings, IT Audit Recommendation and Management
Response.

31
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Part C. Appendix
This part contains the most detailed description of the data and reasoning of the IT auditor
as well as all the results, findings and recommendations of the IT audit with financial and
other data, etc.

These contents of the IT Audit Report and especially ‘Part B. Detailed Results, Findings
and IT Audit Recommendations’ are further analyzed below.

4.2 IT AUDIT REPORT EXAMPLE

Part A. Executive Summary

Summary: A brief description of the audit work performed and the framework (e.g.,
schedule, resources, activities, user involvement, etc.) in which the IT Auditor operated.

Audit Objectives: A description of the audit objectives pre-agreed with the audit committee or
other senior management body of the company. For example: ‘Examination of the operation
and effectiveness of the IT Function and systems of the company (‘XYZ Corporation’ a
fictitious Maritime entity) on the basis of international standards and good practice.

Audit Methodology: A brief description of the audit methodology, techniques, methods,

programs and questionnaires used (details in Appendix).

Areas Audited: Add list from Part B.

Summary of Results, Findings and Recommendations: Summary of audit results, findings

and recommendations, emphasizing the problems and risks perceived during the audit,
the reliability of the data used, the results of the inspection and the deficiencies the report
may present due to the inability to access information, contracts, executives, files, systems,
facilities, etc.

Add list of recommendations from Part B.

Compliance with Operating Standards: Reference to the compliance (or not) of the
specific areas, activities and systems that were tested with an IT standard, such as: COBIT,
ITIL, ISO, etc.

32
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Part B. Detailed Results, Findings and IT Audit Recommendations

Part B1. Overview: This part contains an example of the audit review actions, findings and
recommendations of the IT Infrastructure and Systems used for processing the data by the
example company (‘XYZ Corporation’ a fictitious Maritime entity).

Part B2. IT Facilities and Data Processing Environment

All departments of the company (e.g., Personnel management, Finance, Crew Department,
Technical Department, Customer Support, etc.) process data of customers, employees, crew
members, and other stakeholders (inspectors, manning agents, suppliers, external users, etc.)
All these data are stored in company servers (see Appendix XXX. IT Assets Inventory) at
the company headquarters, accessed via a network and maintained by the following IT
Application Systems:

1. E-Mail server,
2. Personnel Management System,
3. Crew Management System,
4. Vendor Management System,
5. Customer Management System,
6. Financial Management System and
7. Fleet Management System.

In addition to these, the standard application package ‘MS Office’ (Word, Excel, PowerPoint,
etc., of Microsoft) is used to process personal and other in an office environment. The full
details are contained in the Register of Personal Data and the register of IT assets.

In order to mitigate the impact of various risks (e.g., security, data protection, etc., as per
Appendix XXX), and to remedy the consequences resulting from the faults and findings
described in each IT Audit Area, a set of specific improvement recommendations are proposed
to management by the IT Auditor.

The IT Audit Approach to carry out this audit is detailed in Appendix A of this report.
The ‘IT Audit Programs’, ‘IT Audit Questionnaires’ and ‘IT Audit Evaluation Criteria’
used to compile and assess the audit findings and make the IT audit recommendations
are described in the Appendix of this report.

33
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Part B3. IT Audit Findings and Recommendations

B.3.1. IT Audit Area: IT Organization

Description: IT organization (information technology organization) refers to the department
or function within an organization responsible for identifying, building, deploying, and
maintaining IT services (information technology services). Managing the IT organization
is accomplished by the establishment of IT organization controls.

Purpose and examples of IT Organization Controls

The purpose of IT Organization Controls is to ensure, enable and facilitate (a) the
development, management and maintenance of IT infrastructure and application systems,
and (b) the protection and safeguarding of the IT infrastructure, equipment, facilities and
data of the organization.

A minimum set of IT Organization Controls expected to be operating in this company,

include: IT Department Terms of Reference; IT Staff Job Descriptions; IT Segregation of
Duties; IT Staff Employment Contracts; IT Staff Confidentiality Statements; IT Procurement
Process; IT Committee Charter, etc.

Audit criteria and their use

The way these IT Organization controls are established and implemented, are used as criteria
to assess the audit findings in this area (see next paragraph), i.e., whether they exist, are
effective if established, managed and monitored by management, staff are aware and trained
to apply them, records of their use safely kept, logs of their activities maintained, etc.

Also, the audit recommendations (detailed below) take into consideration the findings of
the audit, the impact of risks and the company’s risk profile, well-known industry standards
(e.g., ISO, ENISA, ITIL, ISACA, etc.) as well as best practices and IT audit experience.

Audit Findings (F) and Result

F1. The company’s IT Function does not have the required IT Governance policies, procedures
and standards (controls) for its effective operation.

34
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

IT Risk Grade: High.

F2. The IT function of the company does not have a standard organizational structure and
does not employ the necessary staff with the required qualifications and skills to fulfill its
purpose.

IT Risk Grade: High.

F3. There are various companies and individuals that support the company’s IT applications
and website. However, there are no formal contracts with these individuals and companies
that support and handle all aspects of the company’s infrastructure and IT applications.

IT Risk Grade: High.

Audit result: The result of auditing the IT Organization area was successful. The details of
the IT Organization Controls that are currently implemented by the company, which were
reviewed and tested in the process of this IT audit, are included in Appendix X. Major
improvements are required to be implemented by management in order to mitigate the
effect of any risks of mismanaging the IT function.

IT Organization Audit Recommendations

Based on the high degree of risks and their potential impact on IT Operations, the following
recommendations are proposed to management, for their further review and action, as needed.

Audit Recommendation #1: Creation of IT Improvements Implementation Team

The establishment of an IT Implementation Team is necessary for the effective implementation
of all the audit recommendations mentioned in this report.

The team must be properly staffed (manager, IT staff, users, etc.), supported by the relevant
bodies of the company (board of directors, senior executives, etc.), have the necessary financial
resources and a specific schedule and goals, receive instructions for immediate resolution of
problems that arise, and its work must be supported and monitored by top management.

Management response: Agreed.

35
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Audit Recommendation #2: Effective Management of the IT Department

The IT Department must be staffed with the appropriate people who have the necessary
qualifications and skills, and the required knowledge of the company’s business operations.

Management response: Agreed.

Audit Recommendation #3: Establishment of IT Policies and Procedures

IT management must develop the necessary IT policies, standards and procedures and obtain
approval from the top management for their most effective implementation.

Management response: Agreed.

Management action plan: The above three IT Organization recommendations will be

examined in more detail in order to better implement them. The implementation of these
recommendations will be completed by xx / xx / 20xx (final implementation date). For
more details, see the Management Action Plan <title of document>.

B.3.2. IT Audit Area: IT Strategy

Description: IT Strategy (Information Technology Strategy) is an approach to create an IT
capability for maximum, effective and sustainable value for an organization. IT Strategy is
implemented using an IT Strategic Plan which documents specific steps, deliverables, and
timeline, etc., and various other IT strategy support controls.

Purpose and examples of IT Strategic Controls

The purpose of IT Strategic Controls is to define and establish the future IT vision and
mission for the IT assets (infrastructure and systems) of the organization and prepare the
whole IT environment to accommodate such requirements and needs of the IT systems
and IT operations of the organization.

A minimum set of IT Organization Controls expected to be operating in this company,

include: IT Strategy Analysis Methodology, IT Strategic Plan, IT Strategic Resource Plans,
IT Strategic Budgets, and IT Strategic Analysis Tools, etc.

36
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Audit criteria and their use

The way these IT Strategic controls are established and implemented, are used as criteria
to assess the audit findings in this area (see next paragraph), i.e., whether they exist, are
effective if established, managed and monitored by management, staff are aware and trained
to apply them, records of their use safely kept, logs of their activities maintained, etc.

Also, the audit recommendations (detailed below) take into consideration the findings of
the audit, the impact of risks and the company’s risk profile, well-known industry standards
(e.g., ISO, ENISA, ITIL, ISACA, etc.) as well as best practices and IT audit experience.

Audit Findings (F) and Result

F1. The procurement of equipment and IT systems to support the critical operations of the
company was not based on a plan with specific needs and requirements but on a case-by-
case basis (ad hoc basis) without any thorough examination and preliminary study.

IT Risk Grade: High.

F2. The information systems and applications used today operate on a variety of technological
environments, have been developed in different time periods and are not complete.

IT Risk Grade: High.

F3. Communications between systems and applications are either non-existent or ad-hoc,
and in any case do not work as a whole.

IT Risk Grade: High.

F4. The network infrastructure and a central database, which could be the bridge of
communication between the applications are missing.

IT Risk Grade: High.

F5. The maintenance of the communication systems, applications and infrastructure is

carried out by either external suppliers, or by the staff of the IT function, while there is
no unified strategy in this matter for the whole IT environment.

IT Risk Grade: High.

37
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Audit result: The result of auditing the IT Strategy area was successful. The details of the
IT Strategic Controls that are currently implemented by the company, which were reviewed
and tested in the process of this IT audit, are included in Appendix X. Major improvements
are required to be implemented by management in order to mitigate the effect of any risks
of mismanagement and waste of strategic resources.

IT Strategy Audit Recommendations

Based on the high degree of risks and their potential impact on IT Systems and Data
Utilization, the following recommendations are proposed to management, for their further
review and action, as needed.

Audit Recommendation #4: Implementing an IT Strategy

The preparation of the company’s IT Strategic Plan is required to better meet the company’s
strategic and operational goals and specific needs and requirements of its critical functions
and make better and more productive use of IT systems, applications and data resources.

This strategy should include what the company needs in equipment, system software,
applications, database technology, etc., and based on the next period (2-5 years) as well as
the next decade.

Management response: Agreed.

Management action plan: The above IT Strategy recommendation will be improved by

securing more financial resources in order to better implement it. The implementation of
the recommendation will be completed by xx / xx / 20xx (final implementation date). For
more details, see the Management Action Plan <title of document>.

B.3.4 Overall Conclusion

The results of this audit revealed that while the IT Department manages its activities and
operations quite well, weaknesses have been identified, with moderate to high risk exposures
that require management attention. Improvements are required to address these risk exposures
specifically in the areas of IT Organization; IT Strategy; and Data Center Operations. In
each of these areas, various audit recommendations require management attention and action.

38
IT AUDIT EXECUTION TOOLS - BOOK 3 IT Audit Report Template

Part C. Appendix
This part contains the most detailed description of the IT auditor’s data and reasoning
as well as all audit results, findings and recommendations with financial and other data,
meeting minutes, resource and financial data tables, charts, test data, copies transactions,
copies of evidence, printouts of logs, etc.

The contents of this part are (as an example) the following:

Appendix 1: IT Assets Register.

Appendix 2: Further analysis of the audit findings and recommendations with financial and
other technical data (for each audit recommendation contained in Part B of the report) as
well as the supporting audit working notes of each auditor.

Appendix 3: Minutes of meetings.

Appendix 4: Resources (names of auditors and audit hours, names of executives, names of
end users, names of external partners and names of companies that maintain equipment
and systems, etc.).

Appendix 5: Financial data.

Appendix 6: Policies and procedures audited.

Appendix 7: Systems tested.

Appendix 8: Test data used.

Appendix 9: Copies of employee files and transactions.

Appendix 10: Copies of audit evidence.

Appendix 11: Printouts of logs, computerized records, etc.

Appendix 12: Management Action Plan for each recommendation included in Part B of
the report with all relevant details, etc.

39
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools

5 AUTOMATED IT AUDIT TOOLS

Overview: This chapter describes the problems of traditional way of IT auditing, system
testing practices that help to more fully verify the correctness of the specific application system
checked by the IT Auditor, various automated IT audit tools, also known as Automated
Computer Assisted Audit Techniques (CAATs), and a methodology for Implementing
Automated Audit Software Packages.

5.1 PROBLEMS OF THE TRADITIONAL WAY

OF CONDUCTING IT AUDITS
In the traditional way of conducting an IT audit, it is common practice for IT Auditors
to often draw an opinion on the validity of an IT Application System or operation (e.g.,
online banking system) or IT policies on the basis of a small and perhaps limited sample
of transactions or records (maximum of 50-100) or password accounts (3 to 5). This is
in contrast to the thousands or even millions of transactions and records that a modern
business or public organization has, during a working day, month or other time period.

Also, the auditor’s opinion or conclusion is problematic as it may assure management that
the audited entity, especially when it uses complex and very sophisticated IT systems that
there are no problems, etc., even though a larger sample would, more likely, show evidence
of frauds and other errors.

When problems, fraud, damage, errors, etc., are later identified and discovered, the management
and senior executives of the company tend to label the entire audit process as inefficient
and invalid, and as unable to add value to the business.

For these reasons, various professional organizations, scientists and companies have developed
the approach of continuous monitoring of controls and continuous auditing, more and more.

This approach is based on a variety of system testing techniques and the full use of Computer
Assisted Audit Techniques (CAATs) or Computer Aided Audit Tools or Computer Assisted
Audit Tools and Techniques (also sometimes referred to as CAATTs), etc.

40
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools

5.2 SYSTEM TESTING TECHNIQUES

The test practices that can be used in auditing IT Application Systems and help to more
fully verify the correctness of the specific system checked by the IT Auditor, are (as an
example) the following:

1. Test deck. This technique involves test transactions that contain normal and
abnormal data in order to activate the routine logic of the information systems
to prove that the system is working properly and processing the information
according to the designed controls.
2. Integrated test facility. This technique involves the continuous processing of a
complete set of business test transactions in parallel with the operation of the
normal productive operation of the system in order to audit the performance of
the specific information system.
3. Audit file triggering. This technique is used to activate an audit file with
specific business transactions where all operations are recorded during the
execution of specific audits in the data processing process.
4. Parallel simulation. The parallel simulation technique involves creating a set
of programs used by the IT Auditor to simulate the operating processes of the
information system and to compare the test results with the results of the real
information system that runs in production.
5. Program checking. This technique, with the operation of audit software,
analyzes the program code of the information system in production, and
records all operations, and logical interfaces for audit purposes.
6. Mapping of processing. The technique of mapping the processing steps is used
to document the logical interfaces that have not been tested in the specific
programs, to audit them through test transactions and to compare the results
with the expected ones.

5.3 AUTOMATED AUDIT SOFTWARE

This type of software, also known as Automated Computer Assisted Audit Techniques
(CAATs) or Computer Aided Audit Tools or Computer Assisted Audit Tools and Techniques
(also sometimes referred to as CAATTs, etc.) are the special audit software tools that usually
resolve the problems of the traditional way of conducting audits as mentioned above. These
are used to process, if used properly, a much larger volume of data or the entire volume of
transactions and records of the company.

41
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools

These special software packages (audit software) have the ability to assist and facilitate the
IT Auditor in performing the audits in a more efficient way, such as:

1. Automating production and printing of audit work notes.

2. The examination of duplicate records, transactions, etc. (duplicate records) and
the extraction of data for further analysis (e.g., possible financial fraud).
3. The preparation and creation of test trial balance sheets of the company’s
financial data.
4. The execution of queries on large data files for further analysis, evaluation and
auditing based on statistical calculations and analysis, fraud detection, etc.,
5. The selection and stratification of data, transactions, records, etc., based on
certain predefined or even extraordinary (ad hoc) criteria, such as: High risk
groups, population subgroups, categories, price or amount limits, dates, etc.
6. The selection and extraction of samples from the data, transactions, records,
etc., based on certain predefined or extraordinary (ad hoc) criteria, such as:
Transactions with values ​​less than 2 Euros, critical data updates, records for
high-risk clients, time period data, etc.
7. Identifying a missing sequence of entries in files of transactions, messages,
data, etc., based on certain predefined or even extraordinary (ad hoc) criteria
for the order of presence, such as: all transactions for transfer of very large
between banks to be accompanied by a security key number, the transmission
of messages in a corporate network to have protection records (control headers)
at the beginning and end of the message package, etc.
8. The calculation of totals, averages, etc., in a file of transactions, records, etc.,
containing numbers, amounts and other arithmetic fields using the pivot table
technique.
9. The continuous monitoring of internal protection measures and the continuous
control of the processing and transfer of data, messages, recordings and
transactions (continuous auditing) for execution of possible damage, fraud, theft
or other damages, etc.
10. Performing tests for possible fraud on the basis of Benford’s law1 and examining
data relationships between financial and non-financial data for further
evaluation and analysis of results.

Some of these audit software packages that assist the IT Auditor in performing IT audits
with CAATs are described below.

42
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools

5.4 LIST OF AUTOMATED AUDIT SOFTWARE PACKAGES

As a non-exhaustive example of Automated Audit Software Packages is presented at: www.
capterra.com.

This list is presented on a purely indicative basis and without any commitment or obligation
on behalf of the author and the publisher about the validity or accuracy of the information
provided by the software suppliers and the potential use and applicability of these tools in
audit assignments by IT auditors.

An example of other relevant audit tools (with no commitment, etc.) is:

1. TeamMate Audit Solutions: details, at:

https://www.wolterskluwer.com/en/solutions/teammate

2. AutoAudit®, details at:

https://www.refinitiv.com/en/products/autoaudit-internal-auditor-software

3. ACL Audit: details, at: www.acl.com.

4. CaseWare™ software package solution: details, at:

https://www.caseware.com/products/audit

It is strongly advised that one or more of these may be selected, reviewed and tested effectively
by each IT Audit entity before they are put into productive practice.

5.5 METHODOLOGY FOR IMPLEMENTING

AUTOMATED AUDIT SOFTWARE PACKAGES
Automated Audit Software Packages (CAATs CAATTs, etc.) are very critical tools for IT
Auditors. It is, therefore important to formulate an appropriate methodology to ensure their
effective use. Such a methodology is presented next:

Step 1. Analyze and study the needs and requirements of using auditing tools for the specific
company.

Step 2. Contact other users of the specific tools and find out how the automated tools
support their IT audit work.

43
IT AUDIT EXECUTION TOOLS - BOOK 3 Automated IT Audit Tools

Step 3. Understand the audit software by having a walk-through right from user creation,
grant of user access, configuration settings, data entry, query and reporting features.

Step 4. Decide what techniques of CAATs could be used in your IT audit environment.

Step 5. Select one or more tools and run pilot tests.

Step 6. Install selected tools.

Step 7. Ensure your audit people are trained by the selected software suppliers on the use
of these tools.

44
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 1. Audit Testing Methods

APPENDIX 1. AUDIT
TESTING METHODS
Overview: This Appendix describes five core audit testing methods that IT auditors use to
confirm the facts and answers that a business wants to attain during an IT audit.

Method 1. Inquiry
Inquiry entails asking for an explanation from the auditees relating to the IT control process
(e.g., Password Policy) or transactions of an IT Application System.

Simply, the IT auditor asks, with the use of an IT Audit Checklist or Questionnaire
appropriate management and staff about the controls in place as regards the audit area
audited (e.g., Data Center Controls) to determine some relevant information.

For example, an IT auditor may inquire of management if visitors to the Data Center are
escorted at all times if the auditor is not able to observe this activity while on site.

Method 2. Observation
Observation involves looking at the procedures that are being performed by the auditees
(e.g., IT staff). For example, an IT auditor observes how visitors enter a sensitive area, like
the computer room, or sees if passwords are written on gummed labels near a computer
screen, etc.

Method 3. Inspection of Evidence

Inspection is the process of examining the supporting documents related to IT control
procedures. For example, an IT auditor inspects backup logs, application changes logs, IT
application documentation, security camera logs, etc.

45
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 1. Audit Testing Methods

Method 4. Re-performance
Re-performance is the process of an IT auditor’s re-performing the IT control procedures
that were performed by the IT staff. For example, an IT Auditor may run a recovery test
to ensure the good operation of a backup procedure, or testing an application system in
an audit-specific test environment, etc.

Method 5. Using CAATs

This method is uses specialized software (called CAATs: Computer-assisted audit tools) to
analyze large volumes of data, or every transaction rather than just a sample of all transactions,
perform tests and draw audit evidence on potential anomalies, etc.

46
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues

APPENDIX 2. IT AUDIT
AREAS AND ISSUES
Overview: This appendix contains a list of IT audit areas and issues to be reviewed and
selected when IT Auditors prepare an IT Audit Program for a specific IT audit. For more
details, assessment actions and questions, etc., see IT Audit Support Tools 1 (book 4 – IT
audit programs) and IT Audit Support Tools 2 (book 5 – IT Audit Questionnaires).

Area 1. IT ORGANISATION & ADMINISTRATION

Issues: IT Department Organization; IT Policies and Procedures; CIO Business Plan; Budget;
Performance Monitoring & Capacity Planning; IT Service Management; IT Assets Control;
Project Management; Problem Management; IT Procurement; Vendor Management, IT and
Personal Data Inventories Control; Computer insurance; IT unit performance; IT Personnel
Management Procedures (performance, skills, etc.), etc.

Area 2. IT STRATEGY
Issues: Strategy Process; Strategic Management and Plan; Electronic Data Interchange Strategy;

Effectiveness of IT strategy; People and Resources; IT business plan alignment; Enterprise

Architecture implementation plan; Enterprise Architecture migration plan, etc.

Area 3. SYSTEM DEVELOPMENT & MAINTENANCE

Issues: Standards & Methodologies; Software specifications; Error correction procedures;
Software package evaluation; Program and system testing; User documentation; Identifying
and managing user needs and requirements; Development or Acquisition of IT systems;
Implementing IT application systems; Post implementation review, etc.

47
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues

Area 4. IT SECURITY
Issues: Management of Information Security; Information Security Policy, Procedures and
Organization; Hardware Security; Physical Access Security; Personnel Security; Operating
System, Network, Data Base Management and Application Systems Security; Network and
Operations Security; Electronic Crime and Sabotage; Network Management; Logical Access
Management; Mobile Computing and Hand-Held Devices; E-Commerce Management; IT
security intrusion response, etc.

Area 5. IT LEGISLATION COMPLIANCE

Issues: Legislation; Hardware and Software licenses; Data privacy; Copyright issues; Website
protection, etc.

Area 6. DATA CENTER OPERATIONS

Issues: Operations standards; Hardware management; Physical Access; Physical and Environmental
protection; Fire protection; Health and safety; Media access control; Preliminary Planning
for Critical Applications; Contingency plan deliverables; Alternate facility review, Backup
and Recovery policy review; Recovery testing plan review; IT Service Management; Problem
and Incident Management; IT Monitoring and Performance Management; Outsourcing
and Cloud Operations, etc.

Area 7. SYSTEMS SOFTWARE MAINTENANCE

Issues: Software assets; Maintenance contracts; Program library maintenance; Problem fixing;

Security review; System documentation review; Performance monitoring; Systems software

security; Systems software back-up, etc.

Area 8. DATA & DATA BASE MANAGEMENT

Issues: Data management; Data Base Controls, Data Base Modeling, Data Base Security, etc.

48
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 2. IT Audit Areas and Issues

Area 9. PERSONAL COMPUTERS

Issues: Management control and procedures; Security; Technical support; Software development,
etc.

Area 10. USER SUPPORT

Issues: User satisfaction assessment; Help desk support; Data backup; End-user computing
policy; End-user security; End-user application development and operation, etc.

Area 11. DATA COMMUNICATIONS & NETWORKING

Issues: Strategic planning and design; Network security; Maintenance contracts management;

Problem resolution and support; Change and performance management, etc.

Area 12. APPLICATION OPERATIONS

Issues: Controls (input, processing, etc.); Transaction audit trails; Data integrity controls;

Continuity of application processing; IT Application Quality; Application database controls, etc.

49
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology

APPENDIX 3. IT SYSTEMS
TESTING METHODOLOGY
Overview: This Appendix describes the steps of an IT Systems Testing Methodology and
four System Testing Forms used in this testing process.

Steps of systems testing

The usual steps of a typical IT Systems Testing Methodology to be used by IT Auditors
to test an application system are:

1. Examination and review of all parts of the system and its output, deliverables, etc.
2. Analysis and assessment of the risks to examine and establish what functions of
the system should be tested more,
3. Establishment of a dedicated test environment,
4. Design of all tests,
5. Execution of tests which should include: Testing of system designs, testing
of code as it is developed, testing of integration when components are ready,
testing of interfaces, user acceptance testing, both ‘black box’ testing (testing
from an external perspective) and ‘white box’ testing (testing from an internal
perspective with access to source code and architecture documents), regression
analysis and testing, negative testing (how a system responds to incorrect or
inappropriate information) and testing of data conversion routines,
6. Review and examination of all results,
7. Documenting and filing the test process and results (see form in Annex 1),
8. Logging and resolving all issues and errors,
9. Reporting all test results, and
10. Filing all intermediate and final test data and results.

50
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology

Annex 1: System Testing Forms

SYSTEM NAME: < …………………………>

Test Case Number:

Tester Name:

Hardware required:

Software required:

Other Test Case Dependency:

Brief Description of the Test Case:

Inputs required:

Outputs expected:

Note: For each test case the above should be recorded

Table 01: Test Case Form-Example

SYSTEM NAME: < ………………….…>

Test Scenario Title:

Project Name:

Work Package:

Unit:

Tester:

Date:

Number:

Test Cases:

Set Up Instructions:

Start Instructions:

Proceed Instructions:

Performance Measures:

Stop Instructions:

Note: For each test case scenario the above should be recorded

Table 02: Test Scenario Form-Example

51
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 3. IT Systems Testing Methodology

SYSTEM NAME: < …………………….…>

Test Case Number:

Project:

Tester:

Date:

Pass/Fail:

Actual Results (For Fail):

Error Log Number (For Fail):

Approval:

Note: For each test case executed the above should be recorded

Table 03: Test Case Execution Form-Example

SYSTEM NAME: < ……………………….….…>

Error No:

Description:

Severity:

Note: For each test case executed the above should be recorded

Table 04: Error Log Form-Example

52
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program

APPENDIX 4. IT APPLICATION
QUALITY AUDIT PROGRAM
Overview: This appendix describes the criteria and a way to assess the quality aspects of the
various phases of developing an application system. It is designed to be used in conjunction
with the ‘Applications Controls and End-User Computing Audit Program’ (book 5).

1. Description of Assessment Criteria

Various assessment criteria may be used to evaluate the quality of an application system in
the various phases of its development and operation. These are outlined below:

1.1. Criteria for the Analysis and Design phase of the Application: Compliance with
standards and procedures, Interoperability, Suitability, Data Security, and Quality of operational
control measures of the application.

1.2. Criteria for the Operation phase of the Application: Input/output Controls, Results
Accuracy, Ease of Operation, Response, Availability, User Assistance, Ease of Operation,
and Reliability of Operation.

1.3. Criteria for the Application Maintenance phase: Ease of debugging, Ease of making
changes, Test data quantity and quality and Maintenance Cost.

1.4. Criteria for the Application Documentation phase: User Guide, Functional
Documentation, and Technical Documentation.

2. Applying the Assessment Criteria

The use of these criteria in assessing application systems in their various phases is described
in the next paragraphs. The Scoring Scale used assess each criterion on the basis of a grade
value of 1 (lowest) to 10 (highest).

53
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program

3. PHASE A: Application Analysis and Design Assessment

3.1. Assessment Criterion A1: Standards and Procedures Compliance

Action: Determine the extent to which the application complies with current quality standards
and procedures of application design and analysis of the organization or profession.

Assessment Grade: …………………

3.2. Assessment Criterion A2: Interoperability

Action: Identify the ease with which the application can receive, share, or pass data to
other systems.

Assessment Grade: …………………

3.3. Assessment Criterion A3: Suitability

Action: Determine the suitability of the application in relation to its functions and the ease
of understanding the results.

Assessment Grade: …………………

3.4. Assessment Criterion A4: Data Security

Action: Determine if effective data protection controls are included in the system to prevent
unauthorized access, damage or disclosure.

Assessment Grade: …………………

3.5. Assessment Criterion A5: Quality of Operational Controls

Action: Determine the quality of the application’s operational control measures.

Assessment Grade: …………………

54
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program

4. PHASE B: Application Operation Assessment

4.1. Assessment Criterion B1: Input/Output Controls

Action: Determine the extent to which the application has Input/Output Controls to ensure
the security and correctness of data being entered or exported.

Assessment Grade: …………………

4.2. Assessment Criterion B2: Results Accuracy

Action: Determine the extent to which the application has the attributes of correctness
(i.e., programs work as expected for all test results) and accuracy (i.e., the results are free
from any errors).

Assessment Grade: …………………

4.3. Assessment Criterion B3: Ease of Operation

Action: Determine the degree of ease of use of the application.

Assessment Grade: …………………

4.4. Assessment Criterion B4: Response

Action: Determine the degree of response satisfaction provided by the application.

Assessment Grade: …………………

4.5. Assessment Criterion B5: Availability

Action: Determine the availability of the application.

Assessment Grade: …………………

55
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program

4.6. Assessment Criterion B6: User Assistance

Action: Determine whether the application provides on-screen aids or written documentation
for its functions to fully support the users.

Assessment Grade: …………………

4.7. Assessment Criterion B7: Ease of Operation

Action: Determine the ease of operation of the application without the intervention of
technicians.

Assessment Grade: …………………

4.8. Assessment Criterion B8: Reliability of Operation

Action: Determine how reliable and continuous the operation of the application is.

Assessment Grade: …………………

5. PHASE C: Application Maintenance Assessment

5.1. Assessment Criterion C1: Ease of debugging

Action: Determine how easy it is to understand the logic of the application and identify
errors or problems accordingly.

Assessment Grade: …………………

5.2. Assessment Criterion C2: Ease of making changes

Action: Determine how easy it is to make changes to the application logic and determine
the impact it will have on other subsystems or functions.

Assessment Grade: …………………

56
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 4. IT Application Quality Audit Program

5.3. Assessment Criterion C3: Test data quantity and quality

Action: Determine the quality and quantity of data provided for testing.

Assessment Grade: …………………

5.4. Assessment Criterion C4: Maintenance cost

Action: Determine the maintenance cost of this application in relation to the result.

Assessment Grade: …………………

6. PHASE D: Application Documentation Assessment

6.1. Assessment Criterion D1: User Guide

Action: Determine the quality of the user’s documentation.

Assessment Grade: …………………

6.2. Assessment Criterion D2: Functional Documentation

Action: Determine the quality of the functional (business rules, requirements, data, etc.)
documentation of the application.

Assessment Grade: …………………

6.3. Assessment Criterion D3: Technical Documentation

Action: Determine the quality of the technical documentation of the application.

Assessment Grade: …………………

7. Auditor’s Comments
IT auditors record a summary of what they found during the above assessment process of
the specific application evaluated.

Comments: ………………………………………………………

57
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 5. ITAF Brief Description

APPENDIX 5. ITAF BRIEF

DESCRIPTION
Overview: This appendix describes, in a brief, the basic aspects of the Information Technology
Assurance Framework (ITAF), which may be used by IT Auditors in their work.

IT Assurance Framework (ITAF)

The Information Technology Assurance Framework (ITAF), published by ISACA, is a
comprehensive and good-practice-setting model that:

• Provides guidance on the design, conduct and reporting of IT audit and

assurance assignments;
• Defines terms and concepts specific to IT assurance;
• Establishes standards that address IT audit and assurance professional roles and
responsibilities; knowledge and skills; and diligence, conduct and reporting
requirements.

ITAF provides a single source through which IT audit and assurance professionals can seek
guidance, research policies and procedures, obtain audit and assurance programs, and develop
effective reports. While ITAF incorporates existing ISACA standards and guidance, it has
been designed to be a living document. As new guidance is developed and issued, it will
be indexed within the framework. The scope of the guidance provided in ITAF has been
incorporated into the latest thinking offered in COBIT 5.

For more details, see:

https://cio-wiki.org/wiki/IT_Assurance_Framework_(ITAF)

58
 APPENDIX 6. DATA PROTECTION AND
IT AUDIT EXECUTION TOOLS - BOOK 3 IT SECURITY CHECKLIST

APPENDIX 6. DATA PROTECTION

AND IT SECURITY CHECKLIST
Overview: This appendix describes a Data Protection and Security Checklist of 53 items
organized in 5 areas (Organizational security and privacy measures, Methodologies, Plans,
Data Protection Policies and Procedures, and Software).

Area A: Organizational security and privacy measures

1. Security Responsibilities of the Board of Directors: ____
2. Security Responsibilities of Senior Management: ____
3. Organization of IT security: ____
4. Personnel Management Security checks for personnel: ____
5. Contracts with security controls for third-parties: ____
6. Data protection specifications for third-parties: ____
7. Instructions for Security of Confidential Information
8. Information Systems Security Rules: ____
9. Cyber ​​Security Insurance: ____
10. Reporting incidents of privacy violations: ____
11. Certification of IT in one function: ____

Area B: Methodologies
1. Integrating Security and Privacy in Information Systems: ____
2. Assessing Information Technology risks: ____

Area C: Plans
1. Information security strategy plan: ____
2. Business Continuity Critical Functions Plan: ____
3. Civil Threats Plan: ____
4. Corporate Data Protection and IT Security Plan: ____
5. Personal Data Privacy Protection Program: ____
6. Data Protection Awareness and Education Plan: ____
7. Data Subjects Claims and Complaints Response Plan: ____

59
 APPENDIX 6. DATA PROTECTION AND
IT AUDIT EXECUTION TOOLS - BOOK 3 IT SECURITY CHECKLIST

8. Third Parties Risk Management Plan: ____

9. Corporate Functions Data Protection Integration Plan: ____
10. Data Quality Improvement Plan: ____
11. Social Media Governance Plan: ____
12. Information Security Management Plan: ____
13. Security Development in IT Systems Plan: ____
14. Personal Data Breach Response Plan: ____

Area D: Data Protection Policies and Procedures

1. Privacy Notice or Data Protection Policy: ____
2. Encryption Policy: ____
3. Pseudonymization policy: ____
4. Corporate Records Retention and Destruction Policy: ____
5. Data Classification Policy: ____
6. Data Quality Policy: ____
7. Website Cookie Policy: ____
8. Regulatory Compliance Policy: ____
9. Network and Internet Management Policy: ____
10. Email Security Management Policy: ____
11. Backup and Recovery Policy: ____
12. Passwords Management Policy: ____
13. Physical Security Policy: ____
14. Security Incident Management Policy: ____
15. Third Party Contracts Monitoring Policy: ____
16. End User Application Management Policy: ____
17. IT Assets Withdrawal Policy: ____
18. User Logical Access Policy: ____
19. Clean Desk and Screen Policy: ____
20. Data Breach Management Policy: ____
21. Information Security Policy: ____

Area E: Software
1. Data loss prevention (DLP) software: ____
2. Software tools for aggregation, data masking, pseudonymisation, or
anonymization: ____
3. Encryption technology: ____
4. Intrusion Detection and Prevention System: ____

60
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 7. Visual Audit Tools

APPENDIX 7. VISUAL AUDIT TOOLS

Overview: This appendix briefly describes six visual tools that can be used by IT Auditors
for a variety of reasons, such as: understand and audit an IT Application System, process,
network, etc., detect gaps and anomalies, create checklists and questionnaires, present audit
findings and results to management. etc.

Visual Audit Tools (VAT)

VAT 1. SIPOC
SIPOC is an acronym for: Supplier; Input; Process; Output; and Customer.

The purpose of this visual tool (SIPOC diagram) is: To identify the overall processes in the
work system; To provide an overall perspective and support the definition, structuring, and
scoping of complex work systems; and highlight possible problems or weaknesses in the
processes of the work system.

VAT 2. Turtle Diagram

The Turtle Diagram is a visual tool that can be used to describe all elements of any process
within an organization in a very precise and detailed way. It should bring all aspects including
inputs, outputs, and criteria metrics among other information that may be relevant and
assist in improving organizational processes.

VAT 3. Network Flow Diagram

A network flow diagram maps the flow of data through networks. Digital systems often
involve network-connected systems with functionality distributed across multiple nodes.
For example, in an ecommerce store, data might move from an order system to invoicing,
payment, and logistics systems.

A network flow diagram indicates the routes over which data travels, the internal and external
nodes on which it is stored or processed, and the purpose of those nodes. Network flow
diagrams are essential to understanding the environment that hosts sensitive data as well as
risk mitigation and the enforcement of information security policies.

61
IT AUDIT EXECUTION TOOLS - BOOK 3 Appendix 7. Visual Audit Tools

VAT 4. Data Flow Diagram

Also known as DFD, a Data flow diagram is used to graphically represent the flow of
data in a business information system. A DFD describes the processes that are involved in
a system to transfer data from the input to the file storage and reports generation.

Data flow diagrams can be divided into logical and physical. The logical data flow diagram
describes flow of data through a system to perform certain functionality of a business. The
physical data flow diagram describes the implementation of the logical data flow.

VAT 5. Flowchart
Flowcharts may be used for diagnosing a malfunction or to troubleshoot problems. Business
organizations also use flowcharts for process improvement. Breaking down processes into
smaller steps, then examining them closely can reveal areas of both operating inefficiency
and opportunity for improvement.

VAT 6. SDL Diagram

Brainstorming computer algorithms is often accomplished using an SDL diagram. SDL
stands for Specification and Description Language. This is a flowchart that offers a unique
set of symbols that are used to map out real-time systems. The three basic components of
an SDL diagram are the system definition, the block, and the process.

62
IT AUDIT EXECUTION TOOLS - BOOK 3 End Notes

END NOTES

Chapter 2. IT Audit Checklist

Note 1. As per https://en.wikipedia.org/wiki/Checklist

Chapter 4. IT Audit Report Template

1. For another example, see: ‘IS Audit Basics: The Components of the IT Audit
Report’, https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/is-
audit-basics-the-components-of-the-it-audit-report

IT Audit Framework (ITAF™): A Professional Practices Framework for IT Audit,

4th Edition

https://www.isaca.org/bookstore/audit-control-and-security-essentials/witaf4

For a brief description of ITAF see Appendix 5.

For other relevant audit reporting standards, see:

https://www.iaasb.org/projects/auditor-reporting

https://www.ifac.org/system/files/downloads/a036-2010-iaasb-handbook-isa-700.pdf

www.aicpa.org

https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101

63
IT AUDIT EXECUTION TOOLS - BOOK 3 Chapter 5

CHAPTER 5
Note 1. Benford’s law, also called the Newcomb–Benford law, the law of anomalous numbers,
or the first-digit law, is an observation about the frequency distribution of leading digits in
many real-life sets of numerical data. The law states that in many naturally occurring collections
of numbers, the leading digit is likely to be small. In sets that obey the law, the number
1 appears as the leading significant digit about 30 % of the time, while 9 appears as the
leading significant digit less than 5 % of the time. If the digits were distributed uniformly,
they would each occur about 11.1 % of the time. Benford’s law also makes predictions about
the distribution of second digits, third digits, digit combinations, and so on.

For more details, see: https://en.wikipedia.org/wiki/Benford%27s_law

64
IT AUDIT EXECUTION TOOLS - BOOK 3 Bibliography

BIBLIOGRAPHY

Published books by John Kyriazoglou

A full list of all my books (privacy, business management, wellness, etc.) is available at:
https://bookboon.com/en/search?query=kyriazoglou

For risk assessment my book is: ‘Assessing Information Risks: The GDPR Employees’ Guide -
Part IV’, at: https://bookboon.com/en/assessing-information-risks-ebook)

Free research documents by John Kyriazoglou

A full list of all my research documents (GDPR, Corporate, IT, etc.) is available at:

https://www.researchgate.net/profile/John-Kyriazoglou-2/publications

DISCLAIMER
The material, concepts, ideas, plans, policies, procedures, forms, methods, tools, etc. presented,
described and analyzed in all chapters and appendices, are for educational and training
purposes only. These may be used only, possibly, as an indicative base set, and should be
customized by each organization, after careful and considerable thought as to the needs and
requirements of each organization, taking into effect the implications and aspects of the
legal, national, religious, philosophical, cultural and social environments, and expectations,
within which each organization operates and exists.

Every possible effort has been made to ensure that the information contained in this book
is accurate at the time of going to press, and the publishers and the author cannot accept
responsibility for any errors or omissions, however caused. No responsibility for loss or
damage occasioned to any person acting, or refraining from action, as a result of the material
in this publication can be accepted by the publisher or the author.

65