The most effective IT audits depend upon effective planning. Creating an audit program can be daunting, but it becomes more manageable when broken down into steps.
The effectiveness of the audit depends mainly on the quality of the audit program. According to an ISACA report (Information Systems Auditing Tools and Techniques: Creating Audit Programs), there are five steps organizations should take to create an effective audit program and reap the benefits of a successful information systems audit. According to the guide, the audit process consists of three phases:
Planning
Fieldwork and documentation
Reporting and follow-up
Here are some best practices to help you create effective audits:
1. Determine audit subject
"ISACA's new white paper provides audit and assurance professionals with practical guidance on how to develop audit programs from the ground up," said Rosemary M. Amato, CMA, CISA, a director on ISACA's Board, and Director, Deloitte Accountant B.V.
"Audit processes are clearly defined by phase with activities described. ISACA's new guide can be leveraged in your organization to add value to the audit function."
2. Define audit objective, and 3. Set audit scope
According to the white paper, setting the audit scope is critical because "the IS auditor will need to understand the IT environment and its components to identify the resources required to conduct a comprehensive evaluation." A clear scope helps your team determine the testing points that matter most to the audit's objective.
4. Perform pre-audit planning.
Pre-audit planning includes conducting a risk assessment, identifying regulatory compliance requirements, and determining the resources needed.
5. Determine audit procedures and steps for data gathering.
This step involves obtaining departmental policies for review, developing a methodology to test and verify controls, and developing test scripts plus criteria to evaluate the test.
Next Steps
Once planning is complete, auditors can move on to the fieldwork and documentation phase (acquiring data, testing controls, issue discovery and validation, documenting results) and the reporting phase (gathering report requirements, drafting the report, publishing the information, and follow-up). The ISACA paper does an excellent job of describing both.
Wade Brylow was previously the director of internal audit for Northrop Grumman's Technology Services sector. The opinions and ideas expressed here are those of the author and do not represent the opinions, positions, or policies of Northrop Grumman or any other organization.