Compliance testing determines whether controls are being applied in compliance with policy. Variable sampling is used to estimate numerical values such as dollar values. Substantive testing substantiates the integrity of actual processing such as balances of financial statements. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality in a population and is used in compliance testing to confirm whether the quality exists.
An audit charter should state management’s objectives for the delegation of authority to IS audit.
The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and workflow processes are not working as intended.
If a sample size objective can’t be met with the given data, the auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop an alternate testing procedure.
The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions.
Enabling audit trials helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system.
When designing an audit plan, it is important to identity the areas of highest risk to determine the areas to be audited.
Control Self Assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. CSA is the review of business objectives and internal controls in a formal and documented collaborative process. The primary objective of a control self-assessment program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line manager. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. The attributes of CSA include: empowered employees, continuous improvement, extensive employee participation and training.
The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection that an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s by the auditor’s familiarity with the area being audited.
An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work.
Audit risk is the combination of detection, control and inherent risks for a given audit assignment. Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls. Inherent risk is the risk that an error exists in the absence of any compensating controls.
The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence.
Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations.
The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action.
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data.
An independent test performed by an IS auditor should always be considered a more reliable source of evidence than an confirmation letter from a third party since a letter does not conform to audit standards and is subjective.
The use of hash totals is an effective method to reliably detect errors in data processing.
An Integrated test Facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes.
In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.
Understanding the business process is the first step an IS auditor needs to perform.