Anda di halaman 1dari 2

Information System audit methodology has been developed in accordance with International Information Systems Audit Standards e.

g ISACA Information Systems Audit Standards and Guidelines and the Sabarne Oxley COSO Standard. The beginning point of this methodology is to carry out planning activities that are geared towards integrating a Risk Based Audit Approach to the IS Audit.

PHASE 1: Audit Planning


In this phase we plan the information system coverage to comply with the audit objectives specified by the Client and ensure compliance to all Laws and Professional Standards. The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the management responsibility, authority and accountability of the Information Systems Audit function as follows: Responsibility: The Audit Charter should define the mission, aims, goals and objectives of the Information System Audit. At this stage we also define the Key Performance Indicators and an Audit Evaluation process; Authority: The Audit Charter should clearly specify the Authority assigned to the Information Systems Auditors with relation to the Risk Assessment work that will be carried out, right to access the Clients information, the scope and/or limitations to the scope, the Clients functions to be audited and the auditee expectations; and Accountability: The Audit Charter should clearly define reporting lines, appraisals, assessment of compliance and agreed actions. The Audit Charter should be approved and agreed upon by an appropriate level within the Clients Organization Risk is the possibility of an act or event occurring that would have an adverse effect on the organisation and its information systems. Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. It is ordinarily measured by a combination of effect and likelihood of occurrence. The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in making decisions such as: The area/business function to be audited The nature, extent and timing of audit procedures The amount of resources to be allocated to an audit The following types of risks should be considered: Inherent Risk

Control Risk Detection Risk

PHASE 3 Performance of Audit Work


the performance of Audit Work the Information Systems Audit Standards require us t o provide supervision, gather audit evidence and document our audit work. We achieve this objective through: Establishing an Internal Review Process where the work of one person is reviewed by another, preferably a more senior person. We obtain sufficient, reliable and relevant evidence to be obtained through Inspection, Observation, Inquiry, Confirmation and recomputation of calculations We document our work by describing audit work done and audit evidence gathered to support the auditors findings.

PHASE 4: Reporting
Upon the performance of the audit test, the Information Systems Auditor is required to produce and appropriate report communicating the results of the IS Audit. An IS Audit report should: 1. Identify an organization, intended recipients and any restrictions on circulation 2. State the scope, objectives, period of coverage, nature, timing and the extend of the audit work 3. State findings, conclusions, recommendations and any reservations, qualifications and limitations 4. Provide audit evidence