0% found this document useful (0 votes)

50 views59 pages

CH03 - 2024 Auditing-Information-Systems

Planning Audit SI

Uploaded by

Rini Astuti

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

50 views59 pages

CH03 - 2024 Auditing-Information-Systems

Planning Audit SI

Uploaded by

Rini Astuti

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 59

03.

PLANNING AN IS AUDIT

Credit: Group of Business People Working Together by Yan Krukau, used under the Pexels License.

This chapter will dive deeper into the crucial aspect of Information Systems (IS) Auditing – planning. Imagine
building a house without a blueprint or embarking on a long road trip without a map. In both cases, the lack of
planning can lead to chaos and uncertainty. Similarly, in IS auditing, planning is the blueprint that guides us in
navigating the complex landscape of information systems. It is the foundation upon which the entire IS audit
process rests.
Our discussion starts with the development of risk-based IS audit plans. In doing so, we will discuss the
intricacies of risk-based IT audit planning, aligning audit plans with organizational goals, and documenting and
gaining stakeholder approval for the IS audit plan.
Next, we will discuss the nature, role, and importance of risk assessment and materiality in IS audits. We will
explore identifying, analyzing, and evaluating IS risks. Moreover, we will discuss the IS auditor’s ongoing role in
continuous risk monitoring. This will serve as a lead-in to the discussion around the relevant elements of an IS
audit program, providing a comprehensive understanding of its structure and purpose. We will also consider
various IS auditing methodologies and procedures.
Having a plan is one thing, but executing it effectively is another. In addition to reviewing the relevance
and types of evidence-gathering techniques, we will also discuss the IS auditor’s need to obtain sufficient
and appropriate audit evidence. Sampling is a fundamental aspect of IS auditing, and in the final part of this

03. Planning an IS Audit | 81

chapter, we will explore the intricacies of audit sampling. Specifically, we will review various sampling methods
used in IS audits and understand how to determine sample sizes and confidence intervals. We will also consider
how sampling errors can impact audit conclusions.
The primary objective of this chapter is to proffer the foundational knowledge and skills needed to create a
robust IS audit plan, assess risks, develop an audit program, gather evidence effectively, and employ sampling
techniques. These skills are essential in becoming a proficient IS auditor, ready to address the challenges and
opportunities in the dynamic field of information systems auditing.

Learning Objectives

By the end of this chapter, you should be able to

• Develop comprehensive risk-based IS audit plans that align with organizational goals.
• Identify, analyze, and evaluate IS risks, allowing them to prioritize audit activities effectively.
• Develop IS audit programs that outline audit procedures, methodologies, and key
considerations for different audit engagements.
• Understand the concept of materiality and its influence on decision-making during the IS audit
process.
• Apply relevant evidence-gathering techniques to effectively collect and analyze audit evidence.
• Utilize various sampling methods, including determining sample sizes, calculating confidence
intervals, and managing sampling errors.

82 | 03. Planning an IS Audit

03.01. Developing Risk-based IS Audit
Plans

Credit: A man in corporate attire talking at a meeting by Pavel Danilyuk, used under the Pexels License.

Briefly reflect on the following before we begin:

• How can audit planning be aligned with an organization’s strategic goals and objectives?
• How would IS Auditors go about developing multi-year audit plans?
• Who should be the key stakeholders to sign off on the multi-year audit plan?

The essence of a risk-based audit plan lies in its ability to anticipate and mitigate risks in a rapidly evolving IT
landscape. Such a plan is not merely a procedural requirement but a strategic tool instrumental in safeguarding
an organization’s digital assets and ensuring compliance with regulatory standards. It necessitates a forward-
looking perspective that aligns with the organization’s immediate and long-term goals.

03.01. Developing Risk-based IS Audit Plans | 83

The process begins with identifying key risk areas within an organization’s IT framework to pinpoint potential
vulnerabilities and areas where the organization is most susceptible to risks, be it in data security, system
integrity, or compliance with regulations. This requires a comprehensive analysis of the organization’s IT
infrastructure, including a detailed understanding of various systems, applications, and the business processes
they support.
Once the risks are identified, the next step involves the prioritization of these risks. This prioritization is not a
mere sequence of risks, but a strategic categorization based on potential impact and likelihood of occurrence.
It is a delicate balance that weighs various factors, including the potential financial implications, operational
disruptions, and reputational risks. Integrating industry and regulatory standards into the planning process
is another critical aspect. Standards such as ISO 27001 and GDPR are benchmarks, ensuring the audit plan
adheres to internal organizational standards and aligns with global best practices and legal requirements.
Allocating resources is a pivotal part of the planning process as it involves assigning the right mix of skills
and tools to address the identified risks. It is based on the nature and complexity of the risks, ensuring the
audit team is well-equipped to conduct a thorough and effective audit. Similarly, reviewing past audits and
their findings plays a significant role in shaping the current audit plan. This retrospective analysis helps identify
recurring issues, understand the effectiveness of prior recommendations, and refine the current approach.

Risk-based IS Audit Planning Process

The risk-based IS audit planning process is a structured approach central to effective IS auditing.
Given the ever-evolving nature and extent of the IT’s influence over the organization’s operations, assessing
enterprise-wide IT risk and controls can be daunting. While most progressive organizations and IS audit
functions aim to maintain a complete inventory of their IT infrastructure components, it is not always possible
or feasible. As an acceptable alternative, IS audit functions tend to perform the following in preparation of
developing a risk-based audit plan:

• Performing IT risk assessments annually to identify the new technologies impacting the organization.
• Becoming familiar with the IT’s short-term initiatives and analyzing how they impact the IT risk
assessment.
• Beginning each IT audit by reviewing its risk assessment component.
• Monitoring the organization’s IT-related risk profile and adapting audit procedures as it evolves.

Additionally, several organizational and technological factors should be considered when developing the risk-
based IS audit plan, such as the organization’s industry sector, revenue size, type, complexity of business
processes, and geographic locations of operations. More specifically, the following factors play a significant role
in helping IS Audit functions shape their risk-based audit plans:

• Extent of IT Use

◦ The extent of IT use needs to be considered in planning the nature, extent, and timing of audit
procedures.
◦ IT skills may be needed to understand the flow of some transactions.
◦ Nature, timing, and extent are all affected by the extent of IT use.
• Availability of Data

◦ Input data, system-generated files and other data may exist only for short periods of time or only in
computer readable form.
◦ The client may have to adopt a retention policy that preserves information for audit purposes.

84 | 03.01. Developing Risk-based IS Audit Plans

◦ The auditor should plan to perform procedures when data is available.
• Complexity of Operations

◦ Complexity refers to hardware configuration and the degree of integration of common files or data.
◦ Another factor is the availability of transaction trails.
◦ Significant processing of transactions by service providers affects planning.
• Need for Specialized Skills

◦ All aspects of a client’s systems should be considered in determining the need for specialized IT skills.
◦ Audit team members should possess sufficient IT knowledge to know when to call on specialists.
• IT Organizational Structure

◦ The degree of centralization of IT will affect the auditor’s controls assessment.

◦ Centralized IT departments lead to uniform hardware and control structures throughout the entity.
◦ Decentralized structures may have different hardware, software, and control procedures at each
processing location.

Developing the risk-based IS audit plan should follow a systematic process to ensure that the IS auditors
consider all fundamental business aspects and IT-service support activities. The foundation for the plan must
be rooted in the organization’s objectives, strategies, and business model.
The process begins with gaining an understanding of the business by identifying the strategies,
organizational objectives, and business models that will enable the IS Auditor team to understand the
organization’s unique business risks. The IS Audit team also must understand how existing business operations
and IT service functions support the organization. Understanding the business also involves recognizing
external factors. These include market trends, economic conditions, and technological advancements. Auditors
should be aware of how these factors impact the organization. They must also understand the organization’s
adaptability to these changes to better assess technological risks. Understanding the business is a continuous
process and requires the IS audit team to stay updated with organizational and environmental changes. They
should regularly interact with key stakeholders to gain insights to better understand changes in the business
processes, objectives, and strategies as well as identify new technologies adopted by the organization.
Next, the IS audit team needs to define the IT universe through a top-down approach that identifies key
business objectives and processes, significant IS that support the business processes, the infrastructure needed
for the business applications, the organization’s service support model for IT, and the role of common
supporting technologies such as network devices. These technical components, along with an understanding
of service support processes and system implementation projects, will allow the IS audit team to create a
comprehensive inventory of the IT environment, which forms the foundation for assessing the vulnerabilities
that may impact internal controls. The IT audit universe is dynamic and evolves as the organization’s IT
environment and business objectives change. Therefore, the IT audit universe must be periodically (at least
annually) reviewed and updated to ensure that the IT audit plan remains relevant and aligned with the
organization’s current risk profile and strategic direction. Engaging with IT management, business unit leaders,
and other relevant personnel is crucial in defining the IT universe as it helps gain insights into the IT
environment and associated risks. Stakeholder engagement also helps ensure the IT audit universe is
comprehensive and aligns with the organization’s priorities and concerns.
The next step is to perform the risk assessment — a methodology for determining the likelihood of an event
that could hinder the organization from attaining its business goals and objectives in an effective, efficient,
and controlled manner. This involves assessing the impact and likelihood of each risk regarding potential
financial loss, operational disruption, and reputational damage. The likelihood assessment also considers the
probability of each risk materializing. This prioritization helps focus audit efforts on areas that pose the greatest
threat to the organization’s objectives. It is a strategic process, balancing various risk factors to determine
the most significant areas needing attention. Incorporation of industry and regulatory standards into the

03.01. Developing Risk-based IS Audit Plans | 85

audit plan is essential. Standards such as ISO 27001 and laws like GDPR provide a framework for assessing
the organization’s compliance posture. Adhering to these standards ensures that the audit plan is aligned
with internal organizational goals and external compliance requirements. This aspect of the planning process
safeguards the organization from potential legal and regulatory risks.
The information and analysis gained by understanding the organization, inventorying the IT environment,
and assessing risks feeds into the final step, formalizing the audit plan. It involves selecting audit subjects,
bundling them into distinct engagements, determining the audit cycle and frequency, and adding
engagements based on management requests or consulting opportunities. The objective of the audit plan is to
determine where to focus the auditor’s assurance and consulting work to provide management with objective
information to manage the organization’s risks and control environment. The audit plan must be dynamic,
allowing for adjustments in response to changes in the business and IT environments to maintain relevance
and effectiveness in the face of evolving risks and organizational needs. A crucial part of this phase is reviewing
the plan with senior and operations management to validate the management’s input and provides them a
preview of the upcoming IT audit activities. It also allows for the discussion of potential audit engagement dates
and any operational activities that might affect the audit process, such as application upgrades or significant
operational events. The content of the IT audit plan should directly reflect the risk assessment. The audit plan
should cover various aspects, including IT general controls, application controls, infrastructure controls, and
their contributions to operational, financial, and compliance reviews. It should also consider new IT trends and
their potential impacts. The plan is influenced by risk assessments, resource allocation, and the prioritization of
risks. These factors help in determining the scope and focus of the audit activities. Different types of IT audits
might include integrated business process audits, audits of IT processes, and audits of business projects and
IT initiatives. The plan could be integrated with non-IT audit activities, sometimes involving a multidisciplinary
team with balanced expertise, including IT audit skills. Lastly, IS audit teams should also plan for contingencies
and coordinate activities with internal and external assurance and consulting service providers to help minimize
duplication of efforts and ensure comprehensive coverage.
The risk-based IS Audit Plan development process can be summarized as follows:

• Understand the Business

◦ Identify the organization’s strategies and business objectives.

◦ Understand the high-risk profile of the organization.
◦ Identify how the organization structures their business operations.
◦ Understand the IT service support model and environment.
• Define the IT Universe

◦ Understand business fundamentals.

◦ Identify applications supporting the business operations.
◦ Identify critical infrastructure for significant applications.
◦ Identify major projects and initiatives.
◦ Determine realistic audit subjects.
• Perform Risk Assessment

◦ Develop processes to identify risks.

◦ Assess risk and rank audit subjects using IT risk factors.
◦ Assess risk and rank subjects using business risk factors.
• Formalize the Audit Plan

◦ Select audit subjects and bundle them into distinct audit engagements.
◦ Determine audit cycle and frequency.
◦ Add appropriate engagements based on management requests or opportunities for consulting.
◦ Validate the plan with business management.

86 | 03.01. Developing Risk-based IS Audit Plans

Documenting the IS Audit Plan and Getting Stakeholder Approval

Documenting the IS audit plan and obtaining stakeholder approval serves as a blueprint for the IS audit
function, outlining the scope, objectives, and methodology of the key assurance and consulting engagements
to be undertaken over the next few quarters.
Effective documentation starts by defining the overall scope, including identifying specific IT areas to be
audited. The scope must be comprehensive, covering all critical systems and processes. It should also be
specific, delineating the boundaries of the audit. Clear scope definition helps set realistic expectations and
avoid scope creep during the audit execution. Next, the objectives of the audit are outlined. They need to be
clear, measurable, and achievable. Each objective should address a specific risk or compliance requirement.
This clarity helps focus the audit efforts and facilitates the evaluation of audit outcomes.
The audit methodology section describes the approach and techniques, including details on risk assessment
methods, audit procedures, and evidence-gathering techniques. The methodology should be robust, ensuring
a thorough and efficient audit. It should also be flexible, allowing for adjustments in response to findings during
the audit. Resource allocation is another critical component of the audit plan, outlining the personnel and
technology resources assigned to the audit. The timeline and milestones section should provide a schedule for
the audit, including key milestones and deadlines. The timeline should be realistic, allowing sufficient time for
thorough audit activities.
Once the audit plan is documented, obtaining stakeholder approval is the next important step. This involves
presenting the plan to senior management and other key stakeholders. The presentation should be clear,
concise, and focused on how the audit supports the organization’s objectives. It should highlight the audit’s
expected value and how it aligns with the organization’s strategic goals. Securing stakeholder approval often
requires addressing concerns and answering questions. This interaction is an opportunity to refine the audit
plan based on stakeholder feedback. It ensures that the plan is not only acceptable to the audit team but also to
those who will be impacted by the audit. Effective communication is key in this stage, and the IS auditor must
articulate the importance of the audit, its potential benefits, and how it will be conducted without disrupting
normal business operations. This communication builds trust and fosters a collaborative relationship between
the audit team and stakeholders.
Once approval is obtained, the audit plan is finalized and communicated to the IS audit team. This
communication is crucial for ensuring that everyone involved understands the plan and their roles in it.

In the Spotlight

For additional context on the process of developing a risk-based IS audit plan, please read the article
titled “IS Audit Basics: Developing the IT Audit Plan Using COBIT 2019” [opens a new tab].

03.01. Developing Risk-based IS Audit Plans | 87

Cooke, I. (2019). IS audit basics: Developing the IT audit plan using COBIT 2019. ISACA Journal, 6.
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/developing-the-it-audit-plan-using-
cobit-2019

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

One or more interactive elements has been excluded from this version of the text. You can view
them online here: https://ecampusontario.pressbooks.pub/
auditinginformationsystems/?p=413#oembed-1

Source: Mehta, A.M. (2023, December 6). AIS OER ch 03 topic 01 key takeaways [Video].
https://youtu.be/AkBW_FE4urA

88 | 03.01. Developing Risk-based IS Audit Plans

Knowledge Check

An interactive H5P element has been excluded from this version of the text. You can view it
online here:
https://ecampusontario.pressbooks.pub/auditinginformationsystems/?p=413#h5p-139

Review Questions

1. Explain the importance of understanding the business in the risk-based IS audit planning
process.
2. Describe how the extent of IT use influences the nature, timing, and extent of audit procedures
in a risk-based IS audit plan.

03.01. Developing Risk-based IS Audit Plans | 89

Mini Case Study

Developing a Risk-Based IS Audit Plan for TechStream Inc.

The company’s transition to the cloud is noteworthy, with a substantial reliance on third-party cloud
service providers for its cloud offerings and ongoing initiatives to migrate critical data storage services
to cloud platforms. This transition is coupled with exploratory ventures into IoT technology, aimed at
harnessing real-time financial data from various sources. TechStream Inc.’s clientele is broad and
includes large financial institutions, mid-sized banks, and emerging fintech startups, making the
handling of sensitive financial data, such as transaction histories and customer information, a regular
occurrence.

Operating on an international scale, TechStream Inc. must navigate a complex regulatory landscape,
adhering to various international regulations like the GDPR in Europe and other data protection laws
globally. Regular audits by financial regulators are a part of their operational norm due to the sensitive
nature of their client base. The company’s IT infrastructure presents a blend of legacy systems and
modern cloud-based solutions, recently adapting to increased remote work scenarios with greater
reliance on VPNs and cloud applications.

Despite their robust technology adoption, security remains a focal concern, especially with minor
past incidents and growing apprehensions about potential vulnerabilities, particularly in new cloud and
IoT integrations. While the company maintains an internal IT security team, it often leans on external
consultants for comprehensive security audits and assessments. Current IT challenges include the
integration of AI and machine learning for advanced data analytics and ensuring secure, seamless
integration of an increasing number of IoT devices. Alongside these technological strides, TechStream
Inc. is also planning a significant expansion of its cloud storage capabilities, further solidifying its
position as a tech-forward company in the financial software domain.

You are an IS auditor tasked with developing a risk-based IS audit plan for TechStream Inc.

90 | 03.01. Developing Risk-based IS Audit Plans

Considering the company’s global presence, diverse IT infrastructure, and recent technological
advancements, the IS audit must align with the organization’s strategic goals while addressing
significant risks.

Required: Develop a dynamic IS audit plan that aligns with TechStream Inc.’s risk profile and
operational priorities.

03.01. Developing Risk-based IS Audit Plans | 91

03.02. Risk Assessment and Materiality in
IS Audits

Credit: A man in corporate attire talking at a meeting in the office by Pavel Danilyuk, used under the Pexels License.

Briefly reflect on the following before we begin:

• How should IS Auditors identify, analyze, and evaluate information system risks?
• What other key considerations will help shape the focus of an IS Audit?
• How can IS Auditors help an organization’s risk profile remain up-to-date and reflective of evolving
threats?

At its core, IS auditing is intrinsically linked to the effective management of audit risks and understanding the
concept of materiality. In this section, we will discuss identifying, analyzing, and evaluating risks inherent in IS,
elucidating materiality’s role in IS audits.
It starts with gaining a thorough understanding of what constitutes IS risks through a systematic approach

92 | 03.02. Risk Assessment and Materiality in IS Audits

using various techniques including checklists, structured interviews, and direct observations. These risks stem
from various sources and can be categorized into different types, such as operational, technical, and strategic
risks. The analysis phase assesses the likelihood of occurrence and potential impact of identified risks, involving
both quantitative and qualitative approaches – quantifying risks in terms of potential financial loss or
qualitatively assessing them based on their impact on organizational objectives. The evaluation of these risks
then prioritizes them based on their significance to the organization and helps in directing resources and
efforts where they are most needed.
We will also discuss the concept of materiality, determining the significance of an issue within the context
of the overall audit. Materiality guides IS auditors in planning and conducting audits by helping to define the
audit scope and identifying areas that require greater focus. Setting materiality thresholds is a nuanced process
influenced by the organization’s nature and the audit’s specific context. The audit findings may sometimes
necessitate a reassessment of materiality to ensure that the audit remains relevant and focused on areas of
greatest impact, aligning the audit process with the evolving nature of business and technology risks.
Continuous risk monitoring has become essential with the increasing complexity and frequency of changes
in technology and business processes. This process involves constantly overseeing risk factors, enabling
organizations to identify and respond to risks in real-time. The IS auditor plays a key role in establishing
and maintaining these systems, ensuring their alignment with the organization’s overall risk management
framework. Effective continuous monitoring relies on a blend of automated tools and manual processes,
including various techniques such as regular audits, trend analysis, and real-time alerts. The data derived from
continuous monitoring feeds into the ongoing risk assessment process, allowing for more informed decision-
making and agile responses to emerging threats.

IS Risks Identification, Analysis, and Evaluation

IS risks are diverse, encompassing technical failures, security breaches, data integrity issues, and compliance
lapses. They emerge from various sources: internal processes, external threats, technological advancements,
and human factors. Identifying these risks requires a systematic approach by employing checklists, structured
interviews, and direct observations to unearth potential vulnerabilities that might remain hidden.
A comprehensive risk identification process is not just about listing possible risks; it’s about understanding
each organization’s unique context. Each entity has its specific set of challenges and vulnerabilities. IS auditors
are expected to uncover these unique risks, tailor our approach, and prepare for the subsequent analysis and
evaluation stages. The next step is to analyze them. This involves assessing the likelihood of each risk occurring
and its potential impact. Here, both quantitative and qualitative approaches are used. Quantitative analysis
involves assigning numerical values to the probability and impact of risks, helping create a more objective view.
Qualitative analysis, on the other hand, relies on the auditor’s judgment and experience to estimate the severity
of risks. While quantitative methods provide a semblance of objectivity, qualitative insights are invaluable. They
bring depth to the IS Auditor’s understanding of risks, especially in areas where numerical data is insufficient.
Once risks are analyzed, they must be evaluated and prioritized to determine which risks warrant more
attention. In this phase, risks are ranked based on their potential impact on the organization to guide the
allocation of auditing resources and shape the audit plan. The risk landscape constantly changes, influenced
by evolving technologies and shifting business strategies. The evaluation process should be iterative, adapting
to new information and changing circumstances. Successful risk identification, analysis, and evaluation hinge
on several key factors. First, a deep understanding of the organization’s operations, culture, and technology
landscape is vital. This knowledge allows for a more targeted and relevant risk assessment. Second, engaging
with various stakeholders – from IT personnel to executive management – provides diverse perspectives,
enriching the risk assessment process. Lastly, leveraging technology can greatly enhance our risk analysis

03.02. Risk Assessment and Materiality in IS Audits | 93

and evaluation capabilities. Tools such as data analytics and automated risk assessment software can provide
deeper insights and a more comprehensive view of the risk environment.
This comprehensive approach to risk management ensures the integrity and security of information systems
and supports the strategic objectives of the organizations we audit.

Materiality

Materiality is an important concept in auditing and refers to the importance of omission or misstatement of
information that, if present, could influence the decisions of stakeholders. Determining what is material in an
audit involves understanding the organization’s operations, objectives, and the specific risks it faces. Materiality
is not static; it varies from one organization to another and even from one audit to another within the same
organization. Factors such as organizational size, nature of operations, and risk tolerance play a crucial role in
defining materiality thresholds.
Establishing materiality thresholds requires a deep understanding of the business and its environment. IS
auditors consider various factors, including quantitative benchmarks and qualitative judgments. The thresholds
set the stage for the entire audit process, influencing audit procedures’ scope, depth, and nature. It involves
balancing objectivity with the auditor’s professional judgment. The aim is to focus on areas significant to the
organization’s financial and operational integrity while ensuring efficient use of audit resources.
Materiality directly impacts audit planning and execution as it helps auditors determine which areas require
more attention and which can be given less and, in turn, ensures that the audit focuses on the most significant
aspects of the organization’s IS environment. Materiality also helps make decisions about the nature, timing,
and extent of audit procedures. For instance, areas deemed more material may warrant more detailed testing
or a lower threshold for error. Conversely, fewer material areas might be subject to higher thresholds or more
limited testing. Moreover, as new information comes to light during an audit, the initial materiality assessments
may need to be revisited and adjusted to respond to evolving situations during an audit.
Materiality also plays a pivotal role in evaluating audit findings and in the reporting phase. Findings are
assessed in the context of the materiality thresholds set at the outset to guide the IS auditors in determining
which issues to report and how to present them to stakeholders. In reporting, materiality ensures that the focus
is on what truly matters to the stakeholders so that the IS audit reports are developed clearly and concisely
while avoiding the clutter of insignificant details.

Audit Risk

The Audit Risk Model is another essential framework, as it guides the IS auditors in assessing and managing
the risk of incorrect audit conclusions. The Audit Risk Model comprises three main components:

• Inherent risk refers to the susceptibility of an audit area to error or fraud before considering any related
controls. In IS auditing, the inherent risk might be high in complex, rapidly evolving tech environments.
For example, emerging technologies like blockchain or AI systems inherently carry higher risks due to their
novelty and complexity.
• Control risk, the second component, is the risk that a client’s internal controls will fail to prevent or detect
an error or fraud. In the context of IS auditing, this risk could manifest in inadequate password policies or
poor access controls. The effectiveness of these controls plays a crucial role in mitigating inherent risk.
• Detection risk, the final element, pertains to the risk that the auditors’ procedures will fail to detect an
error or fraud within the audit area. It hinges on the effectiveness of the audit procedures and the auditor’s

94 | 03.02. Risk Assessment and Materiality in IS Audits

ability to correctly interpret the results. In IS audits, detection risk is particularly pertinent, given the
complexities of data and systems.

The interplay of these risks forms the basis of the Audit Risk Model, which states that the total audit risk is a
function of inherent, control, and detection risks. The IS auditor’s understanding and application of this model
is vital for effective risk management and audit planning as it guides us in identifying areas of higher risk and in
designing audit procedures that are both efficient and effective. The model drives IS auditors to focus on areas
with higher inherent and control risks. For instance, the inherent risk is higher in a company with outdated IT
systems, necessitating more robust control measures. If these controls are weak, the control risk rises, leading
auditors to implement more rigorous detection techniques. In devising audit strategies, auditors balance these
risks. Due to strong IT governance, we may accept a higher detection risk if the control risk is low. This balance
means we may not need to test every transaction but can rely on sampling. Conversely, if control risk is high,
auditors will aim to lower detection risk by employing more comprehensive testing methods.
Inherent risk is often outside the control of the audit team but must be thoroughly understood. For example,
a company operating in a highly regulated industry like finance or healthcare inherently faces greater risks
related to compliance and data security. Recognizing these risks enables auditors to focus on the most critical
areas. Control risk assessment is an ongoing process in IS auditing. Auditors must continually evaluate the
effectiveness of a client’s internal controls. This evaluation includes examining IT policies, access controls, and
other security measures. Regular updates to these controls are necessary to keep pace with technological
advancements and emerging threats.
Lastly, mitigating detection risk involves employing various IT audit techniques and technologies. With
advancements in data analytics and automated auditing tools, IS auditors have powerful resources at their
disposal. However, the skillful interpretation of audit findings remains a human task, underscoring the
importance of experience and judgment in this field. The IS Auditor’s aim is not only to identify risks but also
to provide insights that can enhance controls and reduce the overall risk profile. The model’s application is
both a science and an art, requiring a deep understanding of technology, business processes, and the unique
challenges of the digital age.

The Role of Materiality and Audit Risk in Developing IS Audit Strategy

Collectively, materiality and the audit risk model are central to the process of developing the IS Audit Strategy.
As discussed earlier, materiality measures the significance of an error or omission within the organization’s
financial or operational landscape. The application of materiality in IS audits goes beyond the numbers and
requires a thorough understanding of the organization’s operations, the information systems in use, the context
and implications of audit findings, and the potential impact of errors, issues, and audit findings. The audit
risk model, on the other hand, is a framework used to manage and minimize the risk of reaching incorrect
conclusions in an audit and comprises of inherent risk, control risk, and detection risk.
While materiality helps prioritize audit areas and focus on what’s most important, the audit risk model guides
auditors in assessing risks across different areas, allowing them to allocate more resources and attention to
areas with higher materiality and risk. Integrating materiality into the audit risk model transforms the audit
process from a generic procedure to a targeted, value-adding activity. Auditors can tailor their approach based
on the organization’s unique environment and risks. For example, in a financial institution, the materiality of
transactions will be high, requiring a lower tolerance for risk. This necessitates rigorous audit procedures to
minimize detection risk. Conversely, in a less critical system with lower materiality, the auditor might accept a
higher level of risk. This approach allows for more efficient use of resources without compromising the overall
effectiveness of the audit.
Effective communication of materiality and risk assessments is also key. Auditors must clearly articulate the

03.02. Risk Assessment and Materiality in IS Audits | 95

rationale behind their assessments and decisions. This clarity is essential for the audit team and stakeholders
who rely on the audit findings to make informed decisions.
Once the audit strategy has been finalized, the IS audit team will develop a detailed IS Audit program that
serves as the roadmap for the individual audit/assurance engagement. A summarized view of the risk-based
audit approach at the individual audit/assurance engagement is presented below:

Risk-based Audit Approach

1. Gather Information and Plan:

▪ Knowledge of business, industry, & regulatory statuses

▪ Prior year’s audit results and recent financial information
▪ Inherent risk assessment

2. Obtain an Understanding of Internal Control:

▪ Control environment
▪ Control procedures
▪ Control and detection risk assessment

3. Perform Compliance Tests:

▪ Identify key controls to be tested

▪ Perform tests on reliability, risk prevention, and adherence to organization policies
and procedures

4. Perform Substantive Tests:

▪ Analytical procedures
▪ Substantive analytical testing
▪ Detailed tests of account balances

5. Conclude on the Audit:

▪ Perform sufficient quality assurance on audit procedures

▪ Create feasible, relevant, and timely recommendations
▪ Write, review, and issue the final audit report

See the next section for more details on the IS Audit Program and its components that accomplish the above.

IS Auditor’s Role in Continuous Risk Monitoring

Continuous risk monitoring represents a shift from traditional, periodic audit practices to a more dynamic,
ongoing process. It involves the regular observation and analysis of an organization’s risk environment to

96 | 03.02. Risk Assessment and Materiality in IS Audits

identify and respond to emerging risks. This process is crucial in today’s fast-paced, technology-driven world,
where risks can arise rapidly and change frequently. For IS auditors, continuous risk monitoring is not just a task
– it’s a mindset. It requires staying alert to new developments, understanding the implications of changes in
technology and business processes, and being ready to act when risks are identified.
Integrating continuous risk monitoring into the audit process transforms the auditor’s role. Auditors actively
participate in the organization’s risk management framework, contributing real-time insights and
recommendations for a more responsive and effective risk management approach. Effective continuous risk
monitoring relies on a range of tools and techniques. Technology plays a crucial role here. Automated
monitoring systems, data analytics, and real-time reporting tools are some of the key enablers. These
technologies allow auditors to collect and analyze data continuously, identify trends, and detect anomalies that
could indicate risks.
Continuous risk monitoring is not a solitary activity. It requires collaboration with various stakeholders within
the organization. IT professionals, management, and even end-users play a role in identifying and managing
risks. IS auditors tend to foster open lines of communication, and building strong relationships with these
stakeholders is essential. It also plays a critical role in the overall risk assessment process by providing ongoing
insights that help auditors update their risk assessments, ensuring they remain relevant and accurate. This
ongoing assessment is key to identifying and responding to emerging risks effectively.

In the Spotlight

For additional context on the role of risk assessment, materiality, and audit risk on IT Audit Planning,
please read the article titled “The Impact of Poor IT Audit Planning and Mitigating Audit Risk”[opens a
new tab].

Curtis B. (2020). The impact of poor IT audit planning and mitigating audit risk.” ISACA Journal, 3.
https://www.isaca.org/resources/isaca-journal/issues/2020/volume-3/the-impact-of-poor-it-audit-
planning-and-mitigating-audit-risk

03.02. Risk Assessment and Materiality in IS Audits | 97

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

Source: Mehta, A.M. (2023, December 6). AIS OER ch 03 topic 02 key takeaways [Video].
https://youtu.be/DLXtwIk2-Ds

Knowledge Check

98 | 03.02. Risk Assessment and Materiality in IS Audits

Review Questions

1. Describe the process of risk analysis in IS auditing and explain how it differs from risk
identification.
2. What is the role of materiality in determining the scope of an IS audit?
3. Explain the significance of continuous risk monitoring in IS auditing and how it impacts the
auditor’s role.

Mini Case Study

Acme Corporation, a large retail company, recently upgraded its information systems to streamline
operations. As an IS auditor, you are tasked with developing a multi-year IS audit plan. Your objectives
include identifying and evaluating the risks associated with the new system, determining materiality
thresholds for the audit, and implementing continuous risk monitoring.During the risk identification
phase, you uncover several potential risks: cybersecurity threats due to new online platforms, potential
data integrity issues from system integration, and compliance risks with data protection laws. For risk
analysis, you assess these risks for their probability and impact. The cybersecurity threat is deemed
highly likely and with significant potential impact, while compliance risks are less likely but with severe
legal implications. Data integrity issues are moderately likely, with a moderate impact.

You set materiality thresholds based on the company’s operational scale and the critical nature of the
identified risks. The threshold for cybersecurity and compliance risks is set lower due to their potential

03.02. Risk Assessment and Materiality in IS Audits | 99

severe impacts. In the final phase, you implement a continuous risk monitoring system. This includes
automated tools for real-time detection of cybersecurity threats and regular reviews of compliance and
data integrity.

Required: Based on the case study, evaluate how the IS auditor effectively applied the concepts of
risk identification, analysis, evaluation, materiality determination, and continuous risk monitoring in
developing the audit plan.

100 | 03.02. Risk Assessment and Materiality in IS Audits

03.03. Developing an IS Audit Program

Credit: People working at an office by Pavel Danilyuk, used under the Pexels License.

Briefly reflect on the following before we begin:

• What should be included as key components of an IS audit program?

• What are some pitfalls in developing an effective IS audit program?
• How can IS Auditors prepare flexible programs to address common challenges faced in developing an IS
audit program?

In this section, we will discover the intricacies and methodologies in crafting an effective IS audit program,
including its elements and role in guiding auditors through the nuanced landscape of IS audits.
An IS audit program is not merely a checklist; it’s a comprehensive framework that outlines the objectives,
scope, timing, and direction of IS audits. It is a strategic guide that aligns the audit process with the
organization’s goals and risk landscape so that the audit program is not only thorough but also pertinent to the
specific needs and risk profile of the organization.
We will explore the components that form the backbone of an IS audit program, including the audit

03.03. Developing an IS Audit Program | 101

objectives, which define what the audit aims to achieve; the scope, detailing the breadth and depth of the
audit; the resources, outlining the manpower, tools, and techniques required; and the timeline, which provides
a schedule for audit activities. We will also review various IS auditing methodologies and procedures that serve
as a toolkit of approaches that can be adapted to different audit environments. The methodologies range from
traditional to innovative, each with its unique strengths.
Moreover, we will consider the importance of continuous improvement and adaptation in IS audit programs
as it underscores the dynamic nature of technology and business environments, necessitating that audit
programs be flexible and responsive to change. IS auditors must stay abreast of emerging trends, risks, and
technologies, ensuring their audit programs remain relevant and effective. Lastly, we will briefly discuss the
soft skills required for developing an IS audit program, including communication, negotiation, and stakeholder
management skills

The IS Audit Program, Methodologies, and Procedures

A well-structured and thoughtfully developed IS audit program serves as a roadmap, guiding auditors through
the complex landscape of information systems. An audit program is a step-by-step set of audit procedures
and instructions that should be performed to complete an audit. It is based on the scope and objective of the
specific audit engagement. The primary purposes of an audit program are to accomplish the following:

• Formal documentation of audit procedures and sequential steps

• Creation of procedures that are repeatable and easy to use by internal or external audit and assurance
professionals who need to perform similar audits
• Documentation of the type of testing that will be used (compliance and/or substantive)
• Meeting generally accepted audit standards that relate to the planning phase in the audit process

The elements of an IS audit program are the building blocks for a successful audit as they ensure that the audit
is aligned with organizational goals, appropriately scoped, well-resourced, effectively timed, and focused on key
risk areas. A well-crafted IS audit program can enhance the audit process and contribute significantly to the
organization’s overall risk management and governance efforts.
IS auditing methodologies and procedures form the backbone of the audit process as they connect the risk-
based multi-year IS Audit plan to the execution and reporting on assurance and advisory engagements.
Imagine you are preparing for a long journey. Before embarking, you need a well-defined route, a list of
essentials, and a plan for different scenarios you might encounter. Similarly, audit program development is akin
to mapping out the journey you will undertake during the audit. It ensures that auditors are well-prepared and
that the audit process remains structured and organized.
The exact order and details of planning an engagement, including establishing the objectives and scope, may
vary according to the individual organization’s needs, audit activity, and engagement. However, the following
key components are included in an effective IS Audit Program:

Defining Audit Objectives

The first step in developing an IS audit program is defining clear, precise audit objectives. These objectives set
the direction for the audit and ensure its alignment with the organization’s goals and regulatory requirements.
The engagement objectives articulate what the engagement is attempting to accomplish; therefore, the
objectives should have a clear purpose, be concise, and be linked to the risk assessment. Well-defined

102 | 03.03. Developing an IS Audit Program

objectives not only guide the auditor but also clarify the purpose and scope of the audit for stakeholders.
They should be specific, measurable, and achievable, reflecting the unique aspects of the organization’s IT
environment and business processes. A crucial part of this process is understanding the organization’s strategic
objectives, as the audit should support and enhance these goals. IS auditors should validate that the objectives
of the audit align with the business objectives of the area or process under review. The audit engagement
should focus on ensuring controls are in place to effectively mitigate the risks that could prevent the area
or process from accomplishing its business objectives. Audit objectives must also consider the probability of
significant errors, fraud, noncompliance, and other exposures.
High-level audit objectives are typically established when finalizing the audit universe. This may include an
evaluation of the:

• Accuracy, validity, classification, and/or completeness of transactions and activities

• Appropriate authorization of select processes.
• Reliability of IS processing.
• Integrity of data and programs.
• Appropriateness of IS development and implementation.
• Adequacy of the safeguards around data and programs.
• Continuity of business process management.

Determining the Scope of the Audit

Once the risk-based objectives have been formed, the scope of the audit engagement can be determined.
Because an engagement generally cannot cover everything, IS auditors must determine what will and will not
be included. The engagement scope sets the boundaries of the engagement and outlines what will be included
in the review. IS auditors must carefully consider the boundaries of the engagement to ensure that the scope
will be sufficient to achieve the engagement’s objectives.
The scope may define such elements as the specific processes and/or areas, geographic locations, and period
(e.g., point in time, fiscal quarter, or calendar year) that will be covered by the engagement, given the available
resources. IS auditors must carefully consider the breadth of the scope to ensure it enables timely identification
of reliable, relevant, and useful information to accomplish the identified engagement objectives. To confirm
that the scope meets the audit objectives and aligns with the organization’s annual audit plan, IT auditors must
use sound professional judgment based on relevant experience and/or supervisory assistance. They must also
consider relevant systems, records, personnel, and all physical properties.
IT auditors should consider legal factors affecting the engagement scope and approach. For example, if
the organization or area under review has nondisclosure agreements with third parties, the organization may
be required to notify regulatory authorities before starting the engagement. Pending or imminent litigation
and cases of noncompliance should also be considered. Once the audit has begun, any work program
modifications, including any scope changes, must be approved. Additionally, IT auditors should consider
whether a separate consulting engagement is warranted if significant consulting opportunities arise during
the audit. If so, a specific written understanding as to the objectives, scope, respective responsibilities, and
expectations should be reached, and the results of the consulting engagement should be communicated by
consulting standards.

03.03. Developing an IS Audit Program | 103

Reviewing Existing Client Controls

A control may be defined as any action taken by management to enhance the likelihood that established
objectives and goals will be achieved. Overall, internal control objectives, at a detailed level, can be seen
to encompass reliability and integrity of information, compliance with policies, plans, procedures, laws, and
regulations, safeguarding of assets, as well as efficiency and effectiveness of operations.
An important aspect of an IS Auditor’s methodology is to identify the existing controls and assess their
design and operating effectiveness in addressing the risks faced by the organizations.
Internal controls can be classified into various types and it is the combination of these controls that go
to make up the overall system of internal controls designed to achieve the general control objectives. Such
controls can be classified into:

• Preventative controls, which occur before the fact but can never be 100% effective and therefore cannot
be wholly relied upon. These could include controls such as user restrictions, password requirements, and
separate authorization of transactions.
• Detective controls, which detect irregularities after occurrence and may be cheaper than checking every
transaction with a preventative control. Such controls could include the effective use of audit trails and the
use of exception reports.
• Corrective controls ensure the correction of problems identified by detective controls and normally
require human intervention within the IT. Controls in this area may include such processes as Disaster
Recovery Plans and transaction-reversal capabilities. Corrective controls are highly error-prone because
they occur in unusual circumstances and typically require a human decision to be made and an action
decided upon and implemented. At each stage in the process, a subsequent error will have a multiplier
effect and may compound the original mistake.
• Directive controls are designed to produce positive results and encourage acceptable behaviour. They do
not themselves prevent undesirable behaviour and are commonly used where there is human discretion.
Thus, informing all users of personal computers that it is their responsibility to ensure adequate backups
are taken and stored appropriately does not enforce compliance. Nevertheless, such a directive control can
be monitored and action taken where the power is breached.
• Compensating controls can exist where a weakness in one rule may be compensated by a power
elsewhere. They are used to limit risk exposure and may trap the unwary evaluator. This is particularly true
where the auditors are faced with complex integrated systems, and the control structures involve a
mixture of system-driven and human controls scattered over a variety of operational areas.

Controls may be manual or automated, where manual controls are implemented by manual intervention
and automated controls are implemented by the computer system itself. Controls may also be application or
general IT, with application controls having to do with the business function and general IT controls being about
the running of the IT function. See Chapter 5 and Chapter 6 for more details on these controls.
Given the overall control objectives noted in the preceding section, control structures must be designed to
ensure:

• Segregation of duties: Controls to ensure that those who physically handle assets are not those who
record asset movements. Nor are they the same people who reconcile those records nor even those who
authorize such transactions. Within a modern computer system this is normally achieved by a
combination of user identification, user authentication, and user authorization.
• Competence and integrity of people: Underpinning the control system are the people who enforce it. For
controls to be effective, those who exercise control must be capable of doing so and honest enough to
consistently do so. This means that simply having users follow procedures is inadequate in a modern

104 | 03.03. Developing an IS Audit Program

information systems environment, and a high degree of risk and control awareness is required to ensure
that the controls function as intended.
• Appropriate levels of authority: A common mistake in control structures is granting too much authority
within control boundaries. Authorities should only be granted on a need-to-have basis. If there is no need
for a particular individual to have specific authorities, they should not be granted. Obviously this requires
effort on the part of those individuals who assign authorities in identifying which levels of authority are in
fact needed and which are simply desired. It is, unfortunately, still true in many sites that access control is
limited to user authentication and after such authentication the user will then have unrestricted access
into all functional areas within IT.
• Accountability: For all decisions, transactions, and actions taken, there must be controls that will
determine who did what with an acceptable degree of confidence. This normally involves the use of
control logs and audit trails. Simply maintaining such logs and records can be counterproductive because
they can lull the organization into a false sense of security. For such records to be an effective control they
must be scrutinized regularly and appropriate action taken to remedy any discrepancies noted.
• Adequate resources: Controls that are attempted with inadequate resources will typically fail whenever
they come under stress. Adequate resources include manpower, finance, equipment, materials, and
methodologies. Management frequently underestimates the cost of resources to implement controls, and
IT auditors commonly recommend controls, giving no thought to the cost of such control and
management’s lack of resources to implement.
• Supervision and review: Adequate supervision of the appropriate type is fundamental to the
implementation of sound internal control. It is unfortunately still true that in many cases people do not do
what is expected, but only what is inspected.

Within the information systems there are three primary software components that add to or subtract from
control. These components are as follows:

• Systems Software includes computer programs and routines controlling computer hardware, processing,
and non-user functions. This category includes the operating systems, telecommunications software, and
data-management software.
• Applications Software includes computer programs written to support business functions such as the
general ledger, payroll, stock systems, order processing, and other such line-of-business functions.
• End-User Systems are special types of application systems that are generated outside the IT organization
to meet specific user needs. These include micro-based packages as well as user-developed systems. In
many cases these systems were designed to achieve specific operational goals and may or may not have
been designed with appropriate controls implemented.

A robust control framework may include the following control types along with their objectives:

• General Control Objectives: These objectives, general in nature, cover the overall aspects of the integrity of
information, computer security, and compliance with policies, plans, rules, laws, and regulations.
• Application Control Objectives: Application systems have their own sets of built-in controls primarily
business-systems oriented. Generally, they include such control objectives as accuracy, completeness, and
authorization.
• Program Control Objectives: The development and running of computer programs are subject to their
own control objectives and procedures. Control objectives would include ensuring:

◦ Integrity of programs and processing

◦ Prevention of unwanted changes
◦ Ensuring adequate design and development control

03.03. Developing an IS Audit Program | 105

◦ Ensuring adequate testing
◦ Controlled program transfer
◦ Ongoing maintainability of systems
• Corporate Governance: The importance of good governance has become a watchword internationally and
has been driven by the requirements of the global economy for transparency and accountability in
organizational stewardship. Corporate governance involves the mechanisms by which a business
enterprise is directed and controlled. It concerns the mechanisms through which corporate management
is held accountable for corporate conduct and performance and provides the framework within which the
objectives of the company are set, and the means of attaining those objectives and monitoring
performance are determined.

Lastly, a good internal control system must also include regular communication of updates and reminders
of policies and procedures to staff through emails, staff meetings and other communication methods.
Organizations must periodically assess risks and the level of internal control required to protect the
organization’s IT asset management and records related to those risks. Progressive organizations also
document the process for review, including when it will take place. Finally, management must take the
responsibility for making sure that all staff are familiar with policies and changes in those policies.

Audit Criteria

IS auditors select criteria against which the subject matter will be assessed that are objective, complete,
relevant, measurable, understandable, widely recognized, authoritative, and understood by, or available to, all
users of the report. Identifying such criteria ensures that assurance engagement objectives are measurable,
practical, and aligned with the organization’s objectives and the area or process under review. IS auditors must
use the criteria already established by management and/or the board if such criteria exist. IS auditors must
identify appropriate criteria through discussion with management and the board if no criteria exist. IS auditors
should also consider seeking input from subject matter experts to help develop relevant criteria.
Examples of effective audit criteria include the following:

• Existing key performance indicators.

• Targets set during strategic planning.
• The degree of compliance with area or process policies and procedures, regulations, and/or contracts.
• Industry standards or benchmarks.

Adequate criteria will provide a reference for IS auditors to evaluate evidence, understand findings, and assess
the adequacy of the controls in the area or process under review. The criteria, or lack thereof, should be
compared to industry benchmarks, trends, forecasts, and the organization’s policies and procedures.

Audit Timeline, Scheduling, and Resource Allocation

Developing a realistic timeline and schedule for the audit is a critical aspect often overlooked. The timeline
should account for all phases of the audit, from planning to reporting and should include specific milestones
and be flexible enough to accommodate unforeseen delays or issues. Effective scheduling is a balancing act
– it requires careful planning to ensure that each phase of the audit receives the attention it needs without

106 | 03.03. Developing an IS Audit Program

rushing or unnecessarily prolonging the process. Coordination with various stakeholders to align schedules and
availability is also crucial.
An IS audit is only as effective as the team behind it and the resources at their disposal; hence, allocating
the right mix of skills and resources is vital. This includes selecting team members with diverse expertise in
IT, auditing, and the specific industry. IS Audit executives must aim to create a multidisciplinary team capable
of addressing the varied aspects of an information system. Additionally, ensuring that the team can access
necessary tools, such as communications tools, audit working paper management software, and data analytics
tools, is essential for a thorough and effective audit.

Other Considerations

The two more important aspects of the IS Auditing methodology and procedures (apart from the ones
discussed above) are Evidence-gathering Techniques and Audit Sampling. Both these aspects are discussed in
depth in the following two sections.
Beyond these, it is vital to note that the landscape of IS auditing has seen a transformative shift from
traditional to modern techniques. Traditional methods, often manual and time-consuming, were focused on
physical verifications and paper trails. As technology advanced, these methods evolved. Modern techniques
now leverage digital tools and software, enhancing efficiency and accuracy. The transition from traditional to
modern methodologies is not just a change in tools; it’s a paradigm shift in how auditors approach data and
processes. This evolution is crucial for auditors to understand, as it reflects the dynamic nature of the field.
Emerging technologies such as Artificial Intelligence (AI), blockchain, and cloud computing are reshaping the
IS auditing landscape. These technologies present new challenges and opportunities for auditors. For instance,
with its decentralized and immutable ledger, blockchain technology requires a different auditing approach
than traditional databases. Similarly, cloud computing introduces concerns related to data sovereignty and
security. Auditors must stay informed about these developments and adapt their methodologies and
procedures accordingly. Among others, the three most relevant technological considerations for IS Auditors are
as follows:

Technological Considerations for IS Auditors

Computer-Assisted Auditing Techniques (CAATs)

Computer-Assisted Audit Techniques (CAATs) have revolutionized IS auditing. CAATs include a

range of tools and techniques, from simple data extraction software to complex analysis programs.
They allow auditors to automate certain audit tasks, increasing the efficiency and scope of the audit.
In my practice, I’ve employed CAATs for tasks such as sampling, testing controls, and analyzing
transactions. Their ability to process large volumes of data quickly makes them indispensable in the
modern auditing environment. However, it’s crucial for auditors to understand not just how to use
these tools, but also their limitations and the context in which they are most effective.

03.03. Developing an IS Audit Program | 107

Data Analytics in IS Auditing

Data analytics has become a cornerstone in modern IS auditing. It allows auditors to analyze large
datasets effectively, identifying trends and anomalies that might indicate risks or issues. My
experience has shown that the use of data analytics can significantly enhance the audit process. It
enables more comprehensive coverage and deeper insights into the audited systems. Data analytics
tools vary in complexity, from basic spreadsheet functions to advanced software capable of
sophisticated data manipulation and visualization. Auditors must be adept at selecting and utilizing
the appropriate tools for their specific audit objectives.

Audit Procedure Standardization and Documentation

The documentation and standardization of audit procedures are vital for ensuring consistency and
quality in IS audits. Standardized procedures provide auditors a framework to follow, ensuring that
audits are conducted systematically and comprehensively. In my teaching and auditing career, I’ve
emphasized the importance of well-documented procedures. They serve as a reference point for
auditors, helping to maintain consistency across different audits and auditors. Moreover,
standardized procedures are essential for quality assurance and enable effective training of new
auditors.

Having a thorough understanding of the IS auditing methodologies and procedures is fundamental for
aspiring and practicing IS auditors. The shift from traditional to modern techniques, the integration of data
analytics and CAATs, the importance of standardized documentation, and the adaptation to emerging
technologies are all crucial aspects. This knowledge is not static; it evolves with technology and business
landscape. As such, auditors must be lifelong learners, continually updating their skills and understanding to
remain effective in their roles. More importantly, beyond the technical knowledge, IS Auditors must also be
cognizant of the soft skills (or enabling competencies) that will render them effective while implementing the
IS audit program. Some of the most relevant soft skills expected from effective IS Auditors include the following:

108 | 03.03. Developing an IS Audit Program

Soft Skills of Effective IS Auditors

Communication

Auditors must effectively convey complex technical findings to various stakeholders, including
non-technical personnel and top management. Strong written and verbal communication skills are
essential for drafting clear audit reports, explaining audit results, and collaborating with various
teams.

Critical Thinking

IS auditors often encounter complex and ambiguous situations that require critical thinking and
problem-solving abilities. They must analyze data, identify vulnerabilities, and develop
recommendations. Critical thinking helps auditors make informed decisions and provide valuable
insights to improve information systems.

Attention to Detail

The devil is in the details, and in IS auditing, precision is paramount. Auditors must meticulously
examine systems, controls, and data to identify weaknesses and risks. Attention to detail ensures
that no crucial information is overlooked during the audit process.

Adaptability

The field of IS auditing is constantly evolving, with new technologies, threats, and regulations
emerging regularly. Auditors must be adaptable and open to learning. Being willing to embrace
change and update skills is vital to remain relevant and effective.

Time Management

IS auditors often juggle multiple projects and deadlines. Effective time management skills are
essential to prioritize tasks, meet deadlines, and maintain productivity. This skill ensures that audits
are completed efficiently without compromising quality.

Problem-solving

IS auditors frequently encounter complex technical challenges. Problem-solving skills are

03.03. Developing an IS Audit Program | 109

invaluable when troubleshooting issues, finding root causes, and developing solutions to mitigate
risks.

Teamwork

IS auditing is rarely a solo endeavor. Auditors often work in teams or alongside other departments.
Being a team player and collaborating effectively with colleagues from different backgrounds is
crucial to achieving audit objectives.

Emotional Intelligence

Understanding and managing emotions, both one’s own and those of others is a valuable soft skill.
It helps auditors navigate challenging conversations, build rapport, and make informed decisions
based on empathy and understanding.

In the Spotlight

For additional context on conducting an IS audit, please read the following articles:

• “The ultimate guide to conducting an IT audit” [opens a new tab].

• “IS Audit Basics: Audit Programs” [opens a new tab].

Emley B. (2023). The ultimate guide to conducting an IT audit. Zapier. http://zapier.com/blog/it-audit/

Cooke, I. (2017). IS audit basics: Audit programs. ISACA Journal, 4. http://isaca.org/resources/isaca-

journal/issues/2017/volume-4/is-audit-basics-audit-programs

110 | 03.03. Developing an IS Audit Program

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

Source: Mehta, A.M. (2023, December 6). AIS OER ch 03 topic 03 key takeaways [Video].
https://youtu.be/5vttCiCkiC8

Knowledge Check

03.03. Developing an IS Audit Program | 111

Review Questions

1. Explain the importance of defining clear audit objectives in an IS Audit Program. What should
these objectives align with?
2. What factors should be considered when determining the scope of an IS audit?

Mini Case Study

TechStream Inc., a leader in financial management software solutions, boasts a 15-year history with a
global presence. The company, headquartered in New York, commands an impressive annual revenue
of approximately $500 million and employs around 3,000 staff worldwide, with significant operations
across Europe (Germany, UK) and Asia (India, Japan). TechStream Inc.’s software solutions are diverse,
offering both on-premise installations and cloud-based services. Recently, they have started integrating
AI algorithms to enhance their financial analysis capabilities, showcasing their commitment to
technological advancement. The company’s transition to the cloud is noteworthy, with a substantial
reliance on third-party cloud service providers for its cloud offerings and ongoing initiatives to migrate
critical data storage services to cloud platforms. This transition is coupled with exploratory ventures into
IoT technology, aimed at harnessing real-time financial data from various sources. TechStream Inc.’s
clientele is broad and includes large financial institutions, mid-sized banks, and emerging fintech
startups, making the handling of sensitive financial data, such as transaction histories and customer
information, a regular occurrence.

112 | 03.03. Developing an IS Audit Program

Required: Based on the risk assessment and prioritization, an audit of customer data security must
be performed during the upcoming quarter. Analyze how the audit team should approach the
development of the IS audit program for TechStream Inc., considering the concepts discussed in this
section.

03.03. Developing an IS Audit Program | 113

03.04. Effective Audit Procedures -
Evidence-gathering Techniques

Credit : Three people working in the office by Yan Krukau, used under the Pexels License.

Briefly reflect on the following before we begin:

• Why is it essential for IS Auditors to gather reliable and relevant evidence during an audit?
• Can you explain the concepts of sufficiency and appropriateness of audit evidence?
• What strategies can IS Auditors use to make sure that they collect the most reliable and comprehensive
evidence during an audit?

Comprehensive, detailed, and diligent documentation is vital in creating a robust audit trail. Documentation is
not merely about recording facts; it’s about weaving a narrative that captures the essence of the audit process.
This includes various materials, from policy documents and system logs to user manuals and transaction

114 | 03.04. Effective Audit Procedures - Evidence-gathering Techniques

records. We will start our discussion in this section by considering how adequate documentation can illuminate
the path of an audit, providing clarity and direction.
Understanding the nature of audit evidence is equally crucial, as sufficient and appropriate evidence is the
foundation upon which IS auditors build their conclusions. It’s not just about gathering enough evidence; it’s
about collecting the right kind of evidence. The quality of evidence is paramount. It must be relevant, reliable,
and sufficient to support audit findings. It comes in various forms, each carrying its weight and relevance. We
will highlight the difference between qualitative and quantitative evidence, stressing the need for a balanced
approach. IS Auditors must be adept at evaluating both types of evidence and understanding their unique
characteristics and implications for the audit.
Finally, we will examine the primary evidence-gathering techniques or the tools of the trade for every IS
auditor. Each technique has its place and purpose, from interviews and document reviews to technical testing
and data analytics. We will explore these techniques in detail, underlining their relevance and application
in modern IS audits. Drawing from real-world experiences, this section aims to comprehensively understand
effective audit procedures to conduct thorough, efficient, and effective IS audits.

The Role of Documentation in IS Auditing

Documentation and working paper management in IS auditing is far more than a collection of papers or digital
files. It is the tangible representation of the audit’s journey, encompassing various forms and functions. Effective
documentation is a meticulous process of capturing, organizing, and presenting information vital to the audit’s
success. It includes policies, procedures, system logs, correspondence, and transaction records, each serving a
unique purpose.
An audit trail is a chronological record providing a step-by-step account of the audit process, decisions, and
actions taken. It is essential for ensuring transparency and accountability. Given the extent of professional
judgment to be applied across various stages of an IS Audit, the need to create a clear, comprehensive audit
trail to justify the professional judgment applied by IS Auditors cannot be understated. It facilitates the audit
process and serves as a critical tool for any disputes or follow-up inquiries. Different types of documentation
in IS audits serve different purposes. Policy documents, for example, provide insight into the organization’s
regulatory compliance and governance standards. System logs offer a technical perspective, revealing user
activities and system performance. Transaction records are crucial for verifying the accuracy and integrity of
financial data. Each type of document contributes a piece to the puzzle, helping auditors form a complete
picture of the IS environment they are examining.
Evaluating the reliability and relevance of documentation is a skill honed with experience. IS Auditors often
encounter situations where documentation appears comprehensive but is outdated or not aligned with current
practices. Diligent auditors must critically assess every piece of documentation, ensuring it is current, accurate,
and relevant to the audit’s objectives. This evaluation forms the basis for sound audit conclusions and
recommendations. Documentation standards and best practices in IS auditing are not merely guidelines; they
are the principles that uphold the integrity of the audit process. These standards ensure that documentation is
consistent, complete, and adheres to professional and regulatory requirements.

The Nature of Audit Evidence

Audit evidence is the raw material gathered during an audit to support the auditor’s observations, findings,
and opinions. A wide range of evidence may be obtained during an IS audit, each type offering unique insights

03.04. Effective Audit Procedures - Evidence-gathering Techniques | 115

into the audit process. Understanding these different types of evidence is key to conducting a thorough and
effective audit. Audit evidence may include the following:

• An IS auditor’s observations (presented to management),

• Notes taken from interviews,
• Material extracted from correspondence and internal documentation or contracts with external partners,
• Results of independent confirmations obtained by an IS auditor from different stakeholders, and/or
• The results of audit test procedures.

One must discern between qualitative and quantitative evidence in IS audits. Qualitative evidence, often
narrative in nature, provides context and understanding of the processes and controls within an organization.
This includes observations, interviews, and written explanations. Quantitative evidence, on the other hand, is
numerical. It is derived from data sets, financial records, and transaction logs analysis. Both types of evidence
are crucial, and a skilled auditor knows how to balance and integrate them to form a comprehensive audit
perspective. Direct and indirect evidence also play significant roles in IS audits. Direct evidence is obtained
through firsthand observation or interaction, such as inspecting a system configuration or reviewing a
transaction record. Indirect evidence, conversely, is evidence that is inferred or deduced, such as conclusions
drawn from analyzing trends in data logs. Understanding the impact of these evidence types on audit
conclusions is a critical skill. Direct evidence often carries more weight, but indirect evidence can provide crucial
corroborative support.
The digital nature of IS audits presents unique challenges, such as data volatility, systems’ complexity, and
the need for specialized tools and skills to extract and analyze evidence. Navigating these challenges requires
technical expertise and a keen understanding of the legal and ethical considerations involved in handling
digital evidence. Generally, the reliability of audit evidence must include an evaluation of:

• Independence of the evidence provider: Evidence obtained from outside sources is more reliable than
from within the organization. This is why confirmation letters are used for verification of accounts
receivable balances. Additionally, signed contracts or agreements with external parties could be
considered reliable if the original documents are available for review.
• Qualifications of the individual providing the information/evidence: IS auditors must verify whether the
providers of the information/evidence are inside or outside of the organization, an IS auditor should always
consider the qualifications and functional responsibilities of the persons providing the information.

Sufficiency and Appropriateness of Audit Evidence

Sufficiency and appropriateness are the two important drivers of the reliability of audit evidence.
Sufficiencyrefers to the quantity of evidence, while appropriateness pertains to the quality (reliability and
relevance) of the evidence gathered. More evidence does not necessarily equate to better evidence. The focus
should be on gathering enough relevant and reliable evidence to form a solid foundation for audit findings.
Relevance of information means there is a logical connection to the audit areas. Therefore, evidence is
considered relevant if it provides confirmation about an area most at risk. For example, if the auditor determines
that the primary assertion at risk is the security of the network firewall, it would not be appropriate to spend
more time gathering evidence about the appropriateness of data back-ups. By identifying the key risk areas for
the auditee, an IS auditor can focus on gathering more (sufficient) high-quality (appropriate) evidence where
the risk of material misstatement is believed to be most significant.
Reliability refers to whether the evidence reflects the true state of the information. In terms of the reliability of
information, the auditor should consider the following:

116 | 03.04. Effective Audit Procedures - Evidence-gathering Techniques

• The source of the information—it is important for the evidence to be unbiased. Information from external
third parties is generally reliable because the respondent or the person from whom the information is
sought is independent of the organization.
• The consistency of the information—evidence that is consistent from one source to another is more
reliable than inconsistent evidence from one source to another. For example, if responses to inquiries of
operational management and risk management functions are not consistent, the reliability of the
information will be reduced.
• The source of information and whether it is produced where internal controls operate effectively—for
example if there are robust controls over the change management cycle, then change tickets, user testing
and post-implementation records will provide more reliable evidence than if the controls are ineffective.
• The form of the evidence—paper and electronic is more reliable than verbal evidence. For example,
inspecting a service-level agreement to support lease commitment disclosure provides more reliable
evidence than discussing the lease requirements with management.
• The way the documents were created and maintained—original documents are less likely to be altered,
and therefore, they are considered more reliable than photocopied, scanned, or other transformed
documents.
• The way the evidence is collected—evidence gathered directly by the IS auditor is considered more
reliable than evidence gathered indirectly. For example, a bank confirmation sent directly to the auditor
provides more reliable audit evidence than an online bank statement provided by the client.

Balancing the quantity of evidence with audit efficiency is a challenge every auditor faces. In the fast-paced
environment of IS auditing, where technology and systems rapidly evolve, time is a precious resource. Auditors
must be adept at collecting sufficient evidence promptly, ensuring that audits are both thorough and efficient.
This requires a strategic approach to evidence gathering, prioritizing areas of higher risk and materiality. Lastly,
overcoming limitations in audit evidence is part of the auditor’s expertise. In my years as an auditor, I have
encountered various challenges, such as incomplete data, inaccessible information, or difficult to interpret
evidence. Developing the skill to navigate these limitations is essential. It involves creative problem-solving,
leveraging technology, and sometimes seeking alternative forms of evidence.

Primary Evidence-gathering Techniques

Audit procedures are the processes, techniques, and methods auditors perform to obtain audit evidence,
enabling them to conclude on the set audit objective and express their opinions. IS Auditors prepare audit
procedures at the planning stages once they identify audit objectives, scope, approach, and risks. Auditors
design audit procedures to detect all kinds of identified risks and ensure that the required audit evidence
is obtained sufficiently and appropriately. Audit procedures might be different across various functions and
periods. This is because internal controls differ from one function to another, and the controls may change from
time to time.
Having said that, IT auditors typically use the following six basic types of evidence-gathering techniques:

03.04. Effective Audit Procedures - Evidence-gathering Techniques | 117

Table: Evidence-Gathering Techniques

Technique Description Example

Inquiry is often the starting point in evidence gathering. It An IS auditor interviews the IT staff to
involves engaging with personnel to gain insights and understand the procedures for system
information. This includes formal interviews, casual updates and patches. The auditor
conversations, and questionnaires. Inquiry is more than inquires about how often these
just asking questions; it’s about listening and interpreting updates occur, how they are
Inquiry
the responses to form a broader understanding of the documented, and how they are
audit area. However, it is important to remember that approved. This helps assess the
information obtained through inquiry needs to be organization’s current approach to
corroborated with other evidence forms, as it is subject to maintaining system security and
biases and misunderstandings. software.

Observation is another fundamental technique, where the The IS auditor observes the backup
IS auditors observe processes, operations, and activities to process in real-time to ensure that
understand how systems and controls are implemented data backup procedures follow the
and functioning. Observation provides real-time evidence, policy. This includes verifying that
Observation offering a snapshot of the activities under review. It’s backups are taken at scheduled times
particularly useful in understanding workflows and and that the correct data sets are
identifying deviations from prescribed procedures. being backed up, providing IT
However, the limitation of observation is that it only assurance on data integrity and
provides evidence for the observed period. availability.

Analysis involves scrutinizing data and information to The IS auditor analyzes system logs to
identify patterns, anomalies, and trends. This often entails identify unusual or unauthorized
analyzing system logs, financial records, and transaction access attempts. By reviewing these
data in IS auditing. The power of analysis lies in its ability to logs, the auditor can spot patterns
Analysis transform raw data into meaningful insights. With that might indicate security breaches
advanced analytical tools and techniques, auditors can or attempts at data theft. This analysis
analyze large datasets more efficiently and effectively. helps in evaluating the effectiveness of
However, interpreting the results correctly requires a deep the organization’s network security
understanding of both the business and the technology. measures.

Inspection involves the examination of records,

The IS auditor inspects access control
documents, and tangible assets. This could include
lists to ensure that permissions and
reviewing contracts, policies, system configurations, and
roles are appropriately assigned. By
physical verification of assets. Inspection provides concrete
examining these lists, the auditor can
Inspection evidence and is essential in verifying the existence and
verify that users have access rights
accuracy of assets and information. The meticulous nature
consistent with their job functions,
of inspection demands a keen eye for detail and a
reducing the risk of unauthorized
thorough understanding of valid and reliable
access to sensitive information.
documentation.

The auditor sends a confirmation

Confirmation is a technique used to obtain a direct
request to a third-party service
response from a third party verifying the accuracy of
provider to verify the terms of service
information. This could involve confirming account
and data handling procedures. This is
balances, contractual terms, or the authenticity of
especially relevant for cloud-based
Confirmation transactions. Confirmation serves as an independent and
services where the organization’s data
objective source of evidence, often providing a high level of
is stored off-site. Confirmation from
assurance. However, the challenge lies in ensuring that
the service provider helps assess
responses are received from the appropriate and
compliance with data privacy and
authoritative sources.
security standards.

The auditor reperforms a sample of

Reperformance is a technique where the auditor transactions to verify the effectiveness
independently executes procedures or controls to validate of application controls. This could
their effectiveness. This includes recalculating financial include reprocessing transactions
figures or reprocessing transactions. Reperformance through the system to ensure the
Reperformance
provides a high level of assurance as it allows the auditor to controls correctly capture, process,
directly assess the reliability of controls and procedures. and report data. Reperformance
However, it requires a comprehensive understanding of assures the auditor that the
the systems and processes being audited. application controls are functioning as
intended.

IS Auditing standards require that sufficient appropriate audit evidence must be gathered to enable an IS
auditor to draw a conclusion on which to base their opinion regarding the fair presentation of the management
IS operations. However, the decision as to what constitutes sufficient appropriate audit evidence is a matter of
professional judgement, as it is based upon an auditor’s understanding of management’s IS processes and the
significant risks identified when planning the audit and evidence gathered when executing the audit. Thus, it

118 | 03.04. Effective Audit Procedures - Evidence-gathering Techniques

is essential for an IS auditor to not only be familiar with these primary evidence-gathering techniques but also
employ them in the right situation, recognizing the strengths and limitations of such techniques. Generally, the
following hierarchy of evidence can be used to judge reliability.

• Most Reliable: Physical inspection, Confirmation, External documentation, and Reperformance

• Less Reliable: External-internal documentation, Observation, and Analytical procedures
• Least Reliable: Internal documentation (poor controls), Inquiry, and Broad analytical procedures

This does not imply that the IS auditor would never or rarely use inquiries, broad analytical procedures, or
observation. Each of these techniques is relevant in specific situations. Applying them justly and appropriately
stems from a combination of the focus of the audit, adequate technical knowledge, a deep understanding of
management’s process, the IS auditor’s experience, and professional judgment. A snapshot of the degree of
reliability of each evidence-gathering technique is presented below for your reference.

Table: Reliability of Evidence-Gathering Techniques

Effectiveness Auditor’s
Types of Evidence & Independence Qualifications of Objectivity
of Auditee’s Direct
Extent of Reliability* of Provider Provider of Evidence
Internal Control Knowledge

Low (Client Varies

Inquiries (*) Not Applicable Low Varies
provides) (low to high)

High (Auditor
does)
Analysis (*) Varies High Not Applicable Low
Low (Client
provides)

High Normally High

Observation (*) Varies High Medium
(Auditor does) (Auditor does)

High Normally High

Inspection (**) Varies High High
(Auditor does) (Auditor does)

Varies
Confirmation (***) High Not Applicable Low High
(Usually High)

Recalculation/ High High

Varies High High
Reperformance (***) (Auditor does) (Auditor does)

In the Spotlight

For additional context on the nature, role, and types of audit evidence, please read the article “What
are the types of audit evidence?” [opens a new tab].

03.04. Effective Audit Procedures - Evidence-gathering Techniques | 119

RiskOptics. (2023). What are the types of audit evidence? https://reciprocity.com/blog/what-are-the-
types-of-audit-evidence/

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

Source: Mehta, A.M. (2023, December 6). AIS OER ch 03 topic 04 key takeaways [Video].
https://youtu.be/9sRffp30Fto

120 | 03.04. Effective Audit Procedures - Evidence-gathering Techniques

Knowledge Check

Review Questions

1. Explain why documentation is crucial in IS auditing and list two types of documents typically
reviewed during an IS audit.
2. Distinguish between qualitative and quantitative evidence in IS auditing and give an example
of each.
3. What do ‘sufficiency’ and ‘appropriateness’ of audit evidence mean, and why are they important
in IS auditing?
4. Describe the technique of ‘Reperformance’ in IS auditing and explain its significance.

03.04. Effective Audit Procedures - Evidence-gathering Techniques | 121

Mini Case Study

XYZ Corporation, a mid-sized manufacturing company, recently implemented a new Enterprise

Resource Planning (ERP) system. As part of the IS audit, you are tasked with assessing the effectiveness
of specific IT controls. The controls you need to assess include the following:

• User access controls to ensure only authorized personnel can access the ERP system.
• Change management controls for any modifications to the ERP system.
• Backup procedures to ensure data integrity and availability.

Required: Develop test of controls audit procedures using one or more evidence-gathering
techniques (Inquiry, Analysis, Observation, Inspection, Confirmation, Reperformance) discussed in this
section.

122 | 03.04. Effective Audit Procedures - Evidence-gathering Techniques

03.05. Effective Audit Procedures -
Sampling

Credit: Three people working in the office by Yan Krukau, used under the Pexels License.

Briefly reflect on the following before we begin:

• Why do auditors often use sampling methods to gather evidence during audits?
• What are some common risks involved in selecting samples during an audit?
• How would an IS Auditor go about selecting samples during an audit?

In this section, we will explore the diverse range of sampling techniques available to IS auditors. We will do
so by differentiating between statistical and non-statistical sampling methods, highlighting their respective
advantages and appropriate contexts of use. We will explore judgmental sampling, a critical method where the
auditor’s professional judgment plays a pivotal role in sample selection; random sampling techniques, which
are fundamental to reducing bias and ensuring representativeness in the audit findings; as well as stratified

03.05. Effective Audit Procedures - Sampling | 123

sampling, showcasing how it enhances audit efficiency by categorizing data into relevant strata. Lastly, we will
review the importance of software and tools in modern IS auditing, emphasizing how technology aids auditors
in executing more precise and effective sampling strategies.
Next, we will discuss the key principles that help determine sufficient sample sizes in IS audits. We will also
cover the concept of confidence intervals, an essential statistical tool that helps auditors understand the range
within which the true value of the population parameter lies. We will cover the interplay between sample size,
risk, and materiality, and how these factors influence the auditor’s decision-making process. Lastly, we will
address the challenges and implications of sampling errors in IS audits, such as selection and measurement
errors. We will also discuss the strategies for mitigating sampling errors that enable IS Auditors to reduce the
likelihood and effect of these errors in their audit work. In doing so, evaluating and reporting sampling errors
will be emphasized, highlighting the auditor’s responsibility to communicate these aspects transparently.

Sampling Methods in IS Auditing

Audit sampling emerges as a vital tool in IS auditing, where data volumes can be massive and resources are
limited. It is a systematic technique used to examine a subset of data or transactions within a population to
conclude the entire dataset. It allows auditors to assess the effectiveness of controls, identify anomalies, and
detect errors or irregularities without the need to examine every single transaction or piece of data. This is
especially crucial when dealing with extensive datasets that would be impractical to review. By selecting a
representative sample, auditors can focus on areas of higher risk or greater significance, optimizing resource
allocation. This ensures auditors can conduct thorough audits while efficiently managing time and resources.
Audit sampling is closely linked to risk assessment and materiality considerations as it enables IS auditors
to assess the level of risk within a dataset and determine whether errors or irregularities are material enough
to impact the overall audit conclusions. High-risk areas may warrant larger sample sizes or more intensive
testing, while lower-risk areas may require less extensive sampling. As we know, materiality is a measure of the
significance of an error or omission and guides auditors in determining how much evidence is needed. The
riskier the audit area, the more evidence we require, leading to larger sample sizes. Conversely, in areas with
lower risk, smaller samples may suffice. This relationship is crucial in tailoring the audit to the specific context
of the audited entity.
The first method we encounter is statistical sampling. This approach relies on probability theory, ensuring
that each element in the population has a known chance of being selected. Its beauty lies in its ability to
provide auditors with a quantifiable measure of sampling risk. This risk, the probability that the sample may not
represent the population accurately, is a fundamental concept in auditing. The three primarily used statistical
sampling approaches include:
Random sampling stands on the principle of equal chance, where every item in the population is equally
likely to be selected, ensuring a bias-free approach. Tools and software are often employed to aid this process,
bringing in precision and efficiency that manual methods cannot match. Random sampling’s strength lies in
its simplicity and fairness, making it a widely accepted method in IS auditing.
Stratified sampling enhances audit efficiency by dividing the population into subgroups or strata. This
technique is particularly effective when dealing with heterogeneous populations as it ensures that each
stratum is adequately represented in the sample, providing a more accurate view of the entire population.
Systematic sampling, in which an interval (i) is first calculated (population size divided by sample size), and
then an item is selected from each interval by randomly selecting one item from the first interval and selecting
every ith item until one item is selected from all intervals. Efficiency is a significant advantage, especially
when auditing extensive datasets, as it enables auditors to review a sample while maintaining a structured
approach. Systematic sampling assumes a uniform data distribution without patterns or anomalies that could
skew results and is not an ideal method to use when data exhibits systematic patterns or clustering.

124 | 03.05. Effective Audit Procedures - Sampling

Contrastingly, non-statistical sampling, often used in IS auditing, does not involve this statistical theory. Here,
the auditor’s professional judgment is paramount. While this method may not provide a quantifiable measure
of risk, it allows for flexibility and adaptability in diverse auditing environments. It’s particularly useful when
dealing with complex information systems where specific risks are identified through auditor expertise. The
three primarily used non-statistical sampling approaches include the following:

• Judgmental sampling heavily relies on the auditor’s experience and knowledge. In situations where
certain aspects of the system are deemed more critical, this method allows auditors to target these areas
specifically. It’s an approach where intuition, honed by years of experience, plays a key role. However,
auditors must remain vigilant to avoid biases that can skew the audit results.
• Block sampling begins with IS auditors partitioning the dataset into distinct blocks or groups based on
specific criteria such as transaction types, periods, or data categories. Rather than randomly selecting
individual items or transactions, auditors choose entire blocks for examination. The selection is guided by
auditors’ judgment, considering risk, materiality, and audit focus. It allows auditors to concentrate efforts
on specific areas of interest, making it suitable for targeted reviews of critical data subsets.
• Haphazard sampling allows auditors to select items without any predetermined pattern or criteria. The
selection process relies on auditors’ discretion and can involve simply picking items at random or based on
convenience. This approach offers a straightforward way to gather a sample for review, especially when
auditors are dealing with a limited dataset or when a formal sampling method may be unnecessary due to
the nature of the audit.

It is important to remember that sampling in IS auditing provides a reliable basis for making informed decisions
about the information system being audited. Hence, the choice of sampling method should align with the
audit’s objectives, the nature of the population, and the specific risks involved. Moreover, as technology
advances, the complexity of information systems auditing has escalated, and software tools enable auditors
to handle large volumes of data efficiently and accurately. They bring sophistication to sampling methods,
allowing auditors to perform more complex analyses and derive more nuanced insights.
Determining the sample size in an IS audit is a critical step that balances thoroughness with efficiency. The
process begins with a clear understanding of the audit’s objectives. It’s not about choosing a large sample for
comprehensiveness; it’s about choosing the right size to meet our specific IT audit objectives. Understanding
confidence intervals is integral to this process. A confidence interval is a range within which we expect the
true value of a population parameter to fall. It’s a concept that injects a degree of scientific rigour into our
audit conclusions. The width of this interval is influenced by the sample size – larger samples generally result
in narrower confidence intervals, offering greater precision. However, larger samples also mean more resources
and time. Thus, the auditor must strike a balance, ensuring the sample is sufficient to provide reliable results
without being unnecessarily large.
In testing controls (evaluating management’s processes), the IS Auditor applies the following guidance in
determining the sample size.

03.05. Effective Audit Procedures - Sampling | 125

Table: Determining Sample Size for Testing Controls

Limited Assurance from Test of

Frequency of the Control Reasonable Assurance from Test of Controls
Controls

Application Controls
1 1

Annually
1 1

Monthly & Quarterly

2 1

Weekly
5 2

Between Weekly & 250 times

10% of population (Min. of 5) 5% of population (Min. of 5)

Daily
25 – 60 10 – 20

> 250 instances or Ad-hoc

25 – 60 10 – 20

In performing substantive testing (evaluating the underlying activities instead of relying on management’s
processes), the IS Auditor will generally test between 1% – 5% of the population with an upper cap of 500
samples. Sampling guidance may vary based on the IS Audit functions’ risk appetite and philosophy.

Sampling Errors and Their Impact on Audit Conclusions

Sampling errors occur when the selected sample does not accurately represent the entire population. This
misrepresentation can lead to incorrect conclusions about the system being audited. The primary goal of
IS Auditors is to provide accurate and reliable insights into the systems we examine. Sampling errors pose
a significant risk to the integrity of the IS auditing work, and it is essential to recognize these errors and
understand their potential impact.
There are various types of sampling errors, each with its characteristics and implications. One common type
is the selection error, which arises when the method used to select the sample introduces bias. For example,
choosing a non-random sample that warrants random selection can lead to skewed results. Another type is the
measurement error, which occurs when there is a flaw in how information is collected or recorded. This type
of error can significantly distort audit findings. The impact of sampling errors on audit quality and reliability
cannot be overstated. When these errors are present, the audit conclusions drawn may be flawed, leading to
misguided decisions by stakeholders. This outcome can have far-reaching consequences, especially in high-
stakes environments where accurate and dependable audit results are crucial. Therefore, it is imperative for
auditors to take steps to minimize the occurrence of these errors.
Mitigating sampling errors involves several strategies. Firstly, careful planning and designing of the sampling
process are crucial. This planning includes selecting the appropriate sampling method and ensuring the
sample size is adequate for the audit objectives. Secondly, auditors must apply their professional judgment and
expertise in executing the sampling plan. This expertise involves being vigilant for signs of potential bias or
inaccuracies during the sampling process. Similarly, evaluating and reporting sampling errors is another critical
aspect. As auditors, we must identify and mitigate these errors and transparently communicate them in our
audit reports. This transparency ensures that stakeholders are aware of the limitations of the audit findings and
can interpret the results within the correct context.

126 | 03.05. Effective Audit Procedures - Sampling

In the Spotlight

For additional context on the role and importance of audit sampling, please read the article titled
“Audit Sampling” [new tab].

Henderson, K. (2023). Audit sampling. Wall Street Oasis. https://www.wallstreetoasis.com/resources/

skills/accounting/what-is-audit-sampling

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

Source: Mehta, A.M. (2023, December 6). AIS OER ch 03 topic 05 key takeaways [Video].
https://youtu.be/os1wvwFFtqE

03.05. Effective Audit Procedures - Sampling | 127

Knowledge Check

Review Questions

1. Explain the importance of selecting the right sampling method in IS auditing. Provide an
example of a situation where you would choose a statistical sampling method over a non-
statistical one, and vice versa.
2. Explain the concept of sample size determination in IS auditing. How does the level of risk in an
audit area influence the choice of sample size?
3. What are sampling errors in IS auditing, and how can they impact audit conclusions? Provide
an example of a sampling error and its potential consequences in an IS audit.
4. What are the key differences between statistical and non-statistical sampling methods in IS
auditing, and when would you use each?
5. How does an IS auditor determine the appropriate sample size for an audit, and what role do
confidence intervals play in this process?

128 | 03.05. Effective Audit Procedures - Sampling

6. What is a sampling error in the context of IS auditing, and how can it affect the audit’s
conclusions? Give an example.

Essay Question

Explain the importance of sampling in IS auditing and discuss the different sampling methods used.
Include in your explanation how each method impacts the audit process and outcomes. Additionally,
elaborate on how an IS auditor determines the appropriate sample size and the role of confidence
intervals in this process. Conclude by discussing the types of sampling errors that can occur in IS audits
and their potential impact on audit conclusions.

03.05. Effective Audit Procedures - Sampling | 129

03.06. A Case Study in Developing IS
Audit Plan and IS Audit Program

Credit: Woman in Black Blazer Standing Beside Woman in Blue Long Sleeve Shirt by RDNE Stock Project, used under the
Pexels License.

To put things in practical perspective, the case study in this section illustrates how to develop a
risk-based annual IS audit plan as well as a detailed IS audit program for a select audit from the plan.
Although the steps can be universally followed, the case study’s audit subjects and risk assessment
results are presented as generic in nature by design.

Company Overview

InnoTech Inc., a leader in renewable energy technologies, operates in a fast-paced and evolving industry. The

130 | 03.06. A Case Study in Developing IS Audit Plan and IS Audit Program
company, established 15 years ago, has carved a niche in developing and implementing innovative energy
solutions. Its product line is diverse, encompassing solar panels, wind turbines, and advanced energy storage
systems. Beyond manufacturing, InnoTech also extends its expertise to consulting and maintenance services,
ensuring the optimal performance of its energy solutions.
With its headquarters in the United States, InnoTech’s operations span across more than 20 countries,
including significant markets in Europe, Asia, and South America. This international presence is pivotal to the
company’s business strategy, allowing it to access varied energy markets and adapt to different regional energy
demands.
The company’s workforce of around 8,000 employees is a blend of talent, including engineers, researchers,
sales professionals, and various support roles. Organized into distinct divisions such as Research and
Development (R&D), Manufacturing, Sales and Marketing, and Customer Support, each sector contributes
uniquely to InnoTech’s overall success.
InnoTech’s IT infrastructure is a cornerstone of its operations and strategic growth. The company’s extensive
use of IT encompasses several key areas. A comprehensive Enterprise Resource Planning (ERP) system
integrates core business processes, facilitating seamless operations from production to HR management. The
Customer Relationship Management (CRM) software is integral to managing customer interactions, aiding the
sales team in efficiently tracking and servicing customers.
The R&D division relies heavily on specialized systems for developing new technologies and testing
prototypes. In manufacturing, the Manufacturing Execution Systems (MES) play a crucial role in overseeing
the production process. The adoption of cloud computing for data storage, application hosting, and analytics
represents InnoTech’s commitment to modern IT solutions. The network infrastructure, including LANs and
WANs, connects its global operations, while robust cybersecurity measures protect sensitive data and systems.
Managing such a diverse IT landscape presents unique challenges for InnoTech. The company needs to
maintain strong IT governance to manage technologies across different locations effectively. Risks such as
cybersecurity threats and system failures are constant concerns. However, these challenges also offer
opportunities for leveraging IT to spur innovation and improve decision-making processes through data
analytics.
Operating in a heavily regulated industry, InnoTech must adhere to various environmental, data protection,
and quality standards. Compliance is not just a legal requirement but also a key factor in maintaining the
company’s integrity and reputation.

Developing a Risk-based Annual IS Audit Plan

As discussed in Section 03.01, a risk-based annual IS Audit plan can be developed using the following structured
approach:

• Understand the Business

◦ Identify the organization’s strategies and business objectives.

◦ Understand business fundamentals.

◦ Identify applications supporting the business operations.
◦ Identify critical infrastructure for significant applications.
◦ Identify major projects and initiatives.

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 131
◦ Determine realistic audit subjects.
• Perform Risk Assessment

◦ Develop processes to identify risks.

◦ Assess risk and rank audit subjects using IT risk factors.
◦ Assess risk and rank subjects using business risk factors.
• Formalize the Audit Plan

Based on the facts provided in the case study, the following priorities have been identified as the most relevant
considerations while understanding the business:

• ERP System Integration and Efficiency: Concerns around the effectiveness and integration of the ERP
system across business processes including production, HR, and finance.
• CRM System Effectiveness: Challenges in the operational effectiveness of CRM system’s capabilities in
managing customer interactions, data accuracy, and its contribution to sales strategies.
• R&D Systems and Innovation Management: Inefficiencies in the systems supporting R&D for their
effectiveness in fostering innovation, managing prototypes, and integrating with other business units.
• Manufacturing Execution System (MES) Compliance and Performance: Instances of non-compliance
with industry standards and inefficiencies in production processes for MES.
• Cloud Computing and Data Storage Security: Issues noted with cloud services for data security,
compliance with data protection laws, and efficiency in storage and retrieval processes.
• Network Infrastructure and Security: Assess the robustness, security, and efficiency of the company’s LAN
and WAN, including vulnerability to cyber threats.
• Cybersecurity Measures and Protocols: Evaluate the effectiveness of cybersecurity measures including
firewalls and intrusion detection systems, and adherence to security protocols.
• IT Governance and Policy Compliance: Inspect the IT governance framework for its effectiveness in policy
implementation, regulatory compliance, and alignment with corporate objectives.
• Data Analytics and Decision Support Systems: Audit data analytics processes for their role in strategic
decision-making, accuracy of insights, and integration with business functions.
• Employee IT Training and Awareness Programs: Review the effectiveness of IT training programs for
employees, focusing on awareness and adherence to IT policies and cybersecurity best practices.

Consequently, the IT Audit universe for InnoTech Inc. can look like this:

• Network Administration and Security

• Windows Server Administration and Security
• OS400 Server Administration and Security
• Oracle Database Administration and Security
• SAP ERP Application and General Controls
• Payroll Application and General Controls
• Major Capital Projects
• Corporate Privacy Compliance
• IT Infrastructure Configuration Management
• IT Governance Practices

132 | 03.06. A Case Study in Developing IS Audit Plan and IS Audit Program
In terms of the risk assessment, the 10 entities identified in the IT Audit universe above will be ranked on
likelihood and impact along the following five dimensions:

• Impact on the organization’s financial statement reporting (F/S Impact)

• High-level assessment of the quality of existing internal controls (I/C Quality)
• Confidentiality measures are designed to prevent sensitive information (Confidentiality)
• The consistency, accuracy, and trustworthiness of data (Integrity)
• Information should be consistently and readily accessible for authorized parties (Availability)

The rating scale for “likelihood (L)” is defined as follows:

• High (3): High probability that the risk will occur.

• Medium (2): Medium probability that the risk will occur.
• Low (1): Low probability that the risk will occur.

The rating scale for “impact (I)” is defined as follows:

• High (3): There is a potential for material impact on the organization’s earnings, assets, reputation, or
stakeholders.
• Medium (2): The potential impact may be significant to the audit unit, but moderate in terms of the total
organization.
• Low (1): The potential impact on the organization is minor in size or limited in scope.

Using the IT Audit universe, scales for risk assessment ranking, as well as the definitions of rating on the
“impact” and “likelihood”, an illustrated risk assessment output can look like this (using hypothetical risk ratings
compiled from IS Audit team as well as the organization’s executive management):

Table: Illustrated Risk Assessment Output

F/S I/C
Confidentiality Integrity Availability
Area Impact Quality Score*
L I L I L I L I L I

Network Adm & Security 3 2 3 2 3 3 3 2 3 3 36 (H)

Windows Adm & Security 3 3 3 2 3 2 3 3 2 3 36 (H)

OS400 Adm & Security 2 3 3 2 3 3 3 2 2 3 33 (M)

Oracle Adm & Security 3 2 3 1 3 2 3 2 3 3 30 (M)

SAP ERP Application 3 3 2 2 3 3 2 3 3 2 34 (M)

Payroll Application 2 2 3 3 3 3 2 2 3 3 35 (H)

Major Capital Projects 3 3 1 2 1 1 2 3 3 2 24 (L)

Privacy Compliance 2 2 3 3 3 1 1 3 2 3 25 (L)

IT Infrastructure Config. 3 2 2 2 3 3 3 3 3 3 37 (H)

IT Governance 3 2 2 2 3 3 2 1 1 3 24 (L)

Notes:
L = Likelihood; I = Impact; H = High; M = Medium; L = Low
* The final score is calculated as the sum of (likelihood * impact) for each of the five categories per line item.
Now that the risk assessment results are available, the next step is to formalize the audit plan. As discussed
earlier, the audit plan consists of risk-driven audit projects, mandatory compliance reviews, stakeholder

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 133
requests, and follow-up audits of previously identified significant issues. Because these tasks need to be
completed using available internal audit resources, some risk-driven audit projects might not be incorporated
in the plan. Before we get to the IS audit plan, we will first prioritize the IT audit universe areas based on the net
scores as shown below:

Table: Prioritized IT Audit Universe Areas

Area Score

IT Infrastructure Configuration Management 37 (H)

Network Administration and Security 36 (H)

Windows Server Administration and Security 36 (H)

Payroll Application and General Controls 35 (H)

SAP ERP Application and General Controls 34 (M)

OS400 Server Administration and Security 33 (M)

Oracle Database Administration and Security 30 (M)

Corporate Privacy Compliance 25 (L)

Major Capital Projects 24 (L)

IT Governance Practices 24 (L)

InnoTech Inc. has an IS audit staff of five auditors or approximately 1,000 available days for engagements after
considering exception time and training. Based on the risk assessment of available audit subjects, mandatory
activities, and stakeholder requests, the most effective IS audit plan is shown below:

Table: Effective IS Audit Plan

Area Score Risk Level Timeline Audit Days Allocated

IT Infrastructure Configuration
37 High Q1 175
Management

Network Administration and Security 36 High Q1 150

Windows Server Administration and

36 High Q2 150
Security

Payroll Application and General Controls 35 High Q3 120

SAP ERP Application and General

34 Medium Q2 100
Controls

OS400 Server Administration and

33 Medium Q2 90 (Outsourced)
Security

Oracle Database Administration and

30 Medium Q4 85 (Outsourced)
Security

Corporate Privacy Compliance 25 Low Q2 60 (Outsourced)

Major Capital Projects 24 Low Q2 60

IT Governance Practices 24 Low Q4 60

Internal Controls Testing & Reporting N/A N/A Q3, Q4 100

Follow-up on Findings N/A N/A Q3, Q4 85

The audit plan in the table above is based on the Innotech Inc.’s IS audit department’s understanding of the

134 | 03.06. A Case Study in Developing IS Audit Plan and IS Audit Program
company’s strategies and objectives, historical knowledge of the control environment, and anticipated changes
in operations during the next audit period.
Next, we will formalize the IS audit plan for InnoTech Inc. to ensure the efficacy and thoroughness of the
auditing process by transforming the results of risk assessments and preliminary analyses into a structured
and actionable audit plan. A crucial aspect of the audit plan’s formalization is its communication and approval
by senior management and key stakeholders. This ensures that the audit objectives are aligned with the
broader organizational goals and that there is a cohesive understanding and agreement on the plan at the
highest levels of the organization. Finally, the plan includes a focus on training and preparing the audit team,
especially for the more complex and high-risk audit areas. This preparation is vital in equipping the auditors
with the necessary skills and knowledge to effectively navigate the intricacies of specific technologies, audit
methodologies, and regulatory requirements they will encounter.
Developing an IS Audit Program for the Network Administration and Security
Now that we have identified the risk-based annual IS audit plan, let’s build a detailed IS audit program for one
of the high-risk audits – Network Administration and Security Audit.
From our discussion in Section 03.03, we know that an IS Audit program contains the following elements:

• Define Audit Objectives

• Determine Audit Scope
• Review Client Controls
• Set Audit Criteria
• Audit Schedule & Resourcing
• Evidence Gathering Techniques

Here’s an illustrated IS audit program for each of the above components in context of the Network
Administration and Security Audit.

Program for Network Administration and Security Audit

Define Audit Objectives

The primary objective of the Network Administration and Security Audit for InnoTech Inc. is to
evaluate the effectiveness, reliability, and security of the company’s network infrastructure. This
includes assessing the administrative processes and security measures in place to protect against
unauthorized access, data breaches, and other cyber threats. The audit will also aim to ensure that
network administration aligns with the company’s IT policies and industry best practices, and
complies with relevant regulatory requirements.

Determine Audit Scope

The scope of this audit encompasses all aspects of network administration and security within
InnoTech Inc. This includes but is not limited to:

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 135
• Physical and logical network infrastructure, including routers, switches, firewalls, and other
network devices.
• Network configuration and management processes.
• Network security policies, procedures, and practices.
• Access control mechanisms for network resources.
• Incident response and recovery procedures related to network security.
• Compliance with relevant laws and regulations, such as data protection laws.

The audit will cover all geographic locations of InnoTech Inc. where network infrastructure is
deployed.

Review Client Controls

This stage involves a comprehensive review of the existing controls InnoTech Inc. has
implemented for network administration and security. The review will focus on:

• Existing network security policies and procedures, ensuring they are up-to-date and
comprehensive.
• Implementation and effectiveness of access control systems.
• Security measures for protecting network infrastructure, including firewall configurations
and intrusion detection systems.
• Procedures for monitoring and responding to network security incidents.
• Regular maintenance and updates of network systems.

This review aims to identify any gaps or weaknesses in current controls that could expose the
company to network-related risks.

Set Audit Criteria

The audit criteria are the standards against which the network administration and security
practices of InnoTech Inc. will be evaluated. These criteria include the following:

• Compliance with industry standards such as ISO/IEC 27001 for information security
management.
• Adherence to internal policies and procedures of InnoTech Inc. related to network
management and security.
• Alignment with best practices in network administration and security.
• Compliance with legal and regulatory requirements pertinent to network security and data
protection.

136 | 03.06. A Case Study in Developing IS Audit Plan and IS Audit Program
Audit Schedule & Resourcing

The audit is scheduled to be conducted in Q1 and is allocated 150 audit days. The schedule is as
follows:

• Pre-audit planning: 2 weeks

• Fieldwork: 10 weeks
• Reporting: 3 weeks
• Follow-up and closure: 1 week

The audit team will consist of IT auditors experienced in network administration and security.
External experts may be consulted for specialized areas. Resources such as network diagrams, policy
documents, and access to network management systems will be required.

This audit program is designed to provide a comprehensive evaluation of the network

administration and security at InnoTech Inc. It aims to identify areas of strength and potential
improvement, ensuring the network infrastructure is robust, secure, and aligns with business
objectives and regulatory requirements.

Detailed Test of Controls Audit Procedures

Effective audit procedures must have the following four components:

• Extent of sampling (# of samples to review)

• Evidence-gathering technique to be used
• Specific client evidence to be reviewed
• Auditor’s actions as a part of the procedure

For the five existing controls identified in #3 (Review Client Controls) above, here are the proposed test of
controls audit procedures:

Proposed Test of Controls Audit Procedures

Control 1: Network Security Policies and Procedures

• Number of Samples: Review 40 randomly selected policy documents.

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 137
• Evidence Gathering Technique: Inspection
• Specific Evidence to Review: Network security policy documents, including recent updates
and change logs.
• Auditor’s Actions:

◦ Examine the policies for comprehensiveness, relevance, and alignment with industry
standards.
◦ Verify the date of the last update and the frequency of reviews.
◦ Check for signatures and approvals.

Control 2: Implementation of Access Control Systems

• Number of Samples: Analyze access logs for 40 user accounts chosen at random.
• Evidence Gathering Technique: Analysis and Observation
• Specific Evidence to Review: Access control logs, user account details, and permission levels.
• Auditor’s Actions:

◦ Assess whether access levels are appropriate for each user’s role.
◦ Observe the process of granting, modifying, and revoking access.
◦ Verify that there are no unauthorized access instances.

Control 3: Security Measures for Network Infrastructure

• Number of Samples: Inspect configurations of 25 firewalls and 25 intrusion detection

systems.
• Evidence Gathering Technique: Inspection and Performance
• Specific Evidence to Review: Configuration settings, security patches, and update logs of
the selected devices.
• Auditor’s Actions:

◦ Check if configurations align with best practice standards.

◦ Ensure security patches are up-to-date.
◦ Test the performance of intrusion detection systems.

Control 4: Monitoring and Response to Network Security Incidents

• Number of Samples: Examine records of the last 25 reported security incidents.

• Evidence Gathering Technique: Inspection and Inquiry
• Specific Evidence to Review: Incident reports, response actions taken, and follow-up
documentation.
• Auditor’s Actions:

138 | 03.06. A Case Study in Developing IS Audit Plan and IS Audit Program
◦ Review the incident handling process for completeness and timeliness.
◦ Inquire about the effectiveness of the response and any lessons learned or process
improvements implemented.

Control 5: Regular Maintenance and Updates of Network Systems

• Number of Samples: Audit maintenance logs for 40 network devices over the past year.
• Evidence Gathering Technique: Inspection and Analysis
• Specific Evidence to Review: Maintenance schedules, update logs, and service reports.
• Auditor’s Actions:

◦ Verify that maintenance is conducted regularly and in line with industry best practices.
◦ Analyze the logs for any missed or delayed maintenance activities.
◦ Ensure that updates are applied in a timely manner and documented.

This wraps up the case study walkthrough of developing a risk-based annual IS audit plan and an IS audit
program to give you a practical perspective on the key concepts discussed throughout this chapter. Collectively,
these concepts and the example will help you effectively evaluate the IT General Controls (Chapter 5) and
Application Controls (Chapter 6).

03.06. A Case Study in Developing IS Audit Plan and IS Audit Program | 139

Radical Reporting - Writing Better Audit, Risk, Compliance, and Information Security Reports (Security, Audit and Leadership Ser (2025, CRC Press) - Libgen - Li
100% (1)
Radical Reporting - Writing Better Audit, Risk, Compliance, and Information Security Reports (Security, Audit and Leadership Ser (2025, CRC Press) - Libgen - Li
261 pages
IT Audit
No ratings yet
IT Audit
25 pages
AAISM Domain1 MCQs With Answers
No ratings yet
AAISM Domain1 MCQs With Answers
5 pages
Bessemer Venture Partners Investment Memo LinkedIn 1722106006
No ratings yet
Bessemer Venture Partners Investment Memo LinkedIn 1722106006
10 pages
ATU-HND Project Work Format
No ratings yet
ATU-HND Project Work Format
34 pages
Certified Security Project Manager Course
100% (1)
Certified Security Project Manager Course
5 pages
ACL101 Foundations 21-10-2022 - Trainer's
No ratings yet
ACL101 Foundations 21-10-2022 - Trainer's
119 pages
Computer Ethics
No ratings yet
Computer Ethics
31 pages
Internal Audit Manual
No ratings yet
Internal Audit Manual
184 pages
Introduction To Entrepreneurship
67% (3)
Introduction To Entrepreneurship
11 pages
P1-1. What Management Skills Do You Think Would Be Most Important For Howard Schultz To Have? Why? What Skills Do You Think Would Be Most Important For A Starbucks Store Manager To Have? Why?
No ratings yet
P1-1. What Management Skills Do You Think Would Be Most Important For Howard Schultz To Have? Why? What Skills Do You Think Would Be Most Important For A Starbucks Store Manager To Have? Why?
3 pages
OWASP Top Ten Proactive Controls v3
No ratings yet
OWASP Top Ten Proactive Controls v3
110 pages
Trade Confirmation Up005
No ratings yet
Trade Confirmation Up005
3 pages
DKSH Full Year 2024 Annual Report
No ratings yet
DKSH Full Year 2024 Annual Report
142 pages
FAR Practice Problems
No ratings yet
FAR Practice Problems
34 pages
Performance Evaluation
No ratings yet
Performance Evaluation
44 pages
WAPDP Systems Development Project Management
No ratings yet
WAPDP Systems Development Project Management
101 pages
Ethical Hacking A Licence To Hack
No ratings yet
Ethical Hacking A Licence To Hack
24 pages
The Trusted Tool For Data Analysis
No ratings yet
The Trusted Tool For Data Analysis
7 pages
Governance Conceptual Issues
No ratings yet
Governance Conceptual Issues
11 pages
Gym Management Software
No ratings yet
Gym Management Software
28 pages
Ebay Dropshipping Starter Guide
No ratings yet
Ebay Dropshipping Starter Guide
10 pages
Cybersecurity Measures Safeguarding Digital Assets and Mitigating Risks in An Increasingly Interconnected World
No ratings yet
Cybersecurity Measures Safeguarding Digital Assets and Mitigating Risks in An Increasingly Interconnected World
12 pages
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
No ratings yet
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
20 pages
L14-15 Data Security
No ratings yet
L14-15 Data Security
29 pages
Cloud Computing An Internal Audit Perspective
No ratings yet
Cloud Computing An Internal Audit Perspective
43 pages
Cyber Secure Pakistan 2019 Report
No ratings yet
Cyber Secure Pakistan 2019 Report
23 pages
Project Report Final Project 1
No ratings yet
Project Report Final Project 1
22 pages
CAATS and Fraud - June 14
No ratings yet
CAATS and Fraud - June 14
85 pages
Ittihad University: Assignment Two
0% (1)
Ittihad University: Assignment Two
12 pages
New Head of Internal Audit PDF
No ratings yet
New Head of Internal Audit PDF
20 pages
Internal Audit Journal
No ratings yet
Internal Audit Journal
76 pages
2023 State of Internal Audit Trends Report
No ratings yet
2023 State of Internal Audit Trends Report
33 pages
TTU109075 Global Balance Prospectus
No ratings yet
TTU109075 Global Balance Prospectus
62 pages
Ola Skarpmoen Eriksen
No ratings yet
Ola Skarpmoen Eriksen
77 pages
Az 300 Studyguide PDF
No ratings yet
Az 300 Studyguide PDF
10 pages
7004 Assignment
0% (2)
7004 Assignment
3 pages
Is Starting A Business Right For You
No ratings yet
Is Starting A Business Right For You
33 pages
Chapter 2 - Audit Principles
100% (1)
Chapter 2 - Audit Principles
6 pages
Karex - Nomura Research Result Report 02032015 PDF
No ratings yet
Karex - Nomura Research Result Report 02032015 PDF
23 pages
Taste of Feeling: The Marketing Strategy of Jollibee Foods Corporation in Cavite City January-February 2019
No ratings yet
Taste of Feeling: The Marketing Strategy of Jollibee Foods Corporation in Cavite City January-February 2019
6 pages
Corporate Governance of Information Technology - Wikipedia
No ratings yet
Corporate Governance of Information Technology - Wikipedia
24 pages
Porter5 Forces (Banking Industry)
100% (1)
Porter5 Forces (Banking Industry)
3 pages
Internal Control
No ratings yet
Internal Control
33 pages
General IT Audit Program
100% (1)
General IT Audit Program
16 pages
Information Technology Audit: General Principles
No ratings yet
Information Technology Audit: General Principles
26 pages
Citp Examination - Content Specification Outline (Cso) - Final PDF
100% (1)
Citp Examination - Content Specification Outline (Cso) - Final PDF
14 pages
Solution On MFRS 120
100% (1)
Solution On MFRS 120
5 pages
CISA Task Statements
0% (2)
CISA Task Statements
3 pages
Shareholder Day Presentation 2023 FINAL
No ratings yet
Shareholder Day Presentation 2023 FINAL
26 pages
Chads Creative Concepts Case Study
100% (1)
Chads Creative Concepts Case Study
5 pages
Discretioary Revenues As A Measure of Earnings Management
No ratings yet
Discretioary Revenues As A Measure of Earnings Management
24 pages
11 14 2023 NSE FortiPoints
No ratings yet
11 14 2023 NSE FortiPoints
26 pages
Is Audit and Management: Assignment Submitted To: Sir Rashid Qutub From:Mansoor Khan 22006
No ratings yet
Is Audit and Management: Assignment Submitted To: Sir Rashid Qutub From:Mansoor Khan 22006
23 pages
Cybersecurity Strategy
No ratings yet
Cybersecurity Strategy
15 pages
CC7177 2 MS Exam Y1718S1 1711011010
0% (1)
CC7177 2 MS Exam Y1718S1 1711011010
3 pages
GRC Reference Architecture - The GRC Enterprise Application Core
No ratings yet
GRC Reference Architecture - The GRC Enterprise Application Core
5 pages
How To Conduct Security Audit
No ratings yet
How To Conduct Security Audit
7 pages
Audit
No ratings yet
Audit
15 pages
Business Requirement Document (BRD)
No ratings yet
Business Requirement Document (BRD)
8 pages
CISA-Item-Development-Guide Bro Eng 0219 PDF
No ratings yet
CISA-Item-Development-Guide Bro Eng 0219 PDF
15 pages
CISSP - Exam.32q: Website: VCE To PDF Converter: Facebook: Twitter
No ratings yet
CISSP - Exam.32q: Website: VCE To PDF Converter: Facebook: Twitter
16 pages
A Sustainability Overview of The Best Practices in The Airport Sector
No ratings yet
A Sustainability Overview of The Best Practices in The Airport Sector
17 pages
Internal Audit Solutionbrief
No ratings yet
Internal Audit Solutionbrief
13 pages
Auditing in CIS Environment DISCUSSION 13
No ratings yet
Auditing in CIS Environment DISCUSSION 13
7 pages
Software Testing
No ratings yet
Software Testing
21 pages
Order Agreement - MANGINI - KYRIOS
No ratings yet
Order Agreement - MANGINI - KYRIOS
2 pages
It Governance
No ratings yet
It Governance
12 pages
CH1 MKT STG
No ratings yet
CH1 MKT STG
5 pages
Computer Audit
No ratings yet
Computer Audit
36 pages
APAC Privacy - Australia - FINAL (2017!10!10)
No ratings yet
APAC Privacy - Australia - FINAL (2017!10!10)
14 pages
IS Audit Process Chapter Overview
No ratings yet
IS Audit Process Chapter Overview
13 pages
CISA - 3th Chapter - System and SDLC
No ratings yet
CISA - 3th Chapter - System and SDLC
12 pages
Statement of Account: Xxxxxxxxxx8026
No ratings yet
Statement of Account: Xxxxxxxxxx8026
2 pages
CISA Certification Topics
No ratings yet
CISA Certification Topics
6 pages
Training Workshop On IT Auditing
No ratings yet
Training Workshop On IT Auditing
2 pages
Chapter 7 Acctng For Materials Activity PDF
No ratings yet
Chapter 7 Acctng For Materials Activity PDF
3 pages
UDSM - VACANCY - Assistant Accountant
No ratings yet
UDSM - VACANCY - Assistant Accountant
2 pages
Pi 13mgfq-700 New Design Bag Machine-20250328
No ratings yet
Pi 13mgfq-700 New Design Bag Machine-20250328
2 pages
Saln Sandino Romano
No ratings yet
Saln Sandino Romano
3 pages
Manop 7 ROIC Tree
No ratings yet
Manop 7 ROIC Tree
3 pages
ISACA Code of Professional Ethics
No ratings yet
ISACA Code of Professional Ethics
1 page
Contract Management Experience Including...
No ratings yet
Contract Management Experience Including...
2 pages
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
Security Testing Handbook for Banking Applications
From Everand
Security Testing Handbook for Banking Applications
Arvind Doraiswamy
5/5 (1)
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
From Everand
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
Carl A. Bolton
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
Byte Books
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
Byte Books
No ratings yet
Information Systems Auditing: The IS Audit Testing Process: Information Systems Auditing, #3
From Everand
Information Systems Auditing: The IS Audit Testing Process: Information Systems Auditing, #3
Robert E. Davis
1/5 (1)
Qualified Security Assessor Complete Self-Assessment Guide
From Everand
Qualified Security Assessor Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet