IS Auditing Practices and Techniques

An auditor can perform a variety of audit types. Our primary topic is IT auditing, but it is important to understand the procedures associated with each type of audit:

• Financial audit A financial audit often involves detailed, substantive testing. This kind of audit relates to information integrity and reliability; its purpose is to assess the correctness of the organization's financial statements.

• Operation audit An operation audit is designed to evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are examples of operation audits.

• Integrated audit An integrated audit combines the testing of controls and substantive testing for the completeness, validity, and integrity of the information. An SAS 94 audit is an example of an integrated audit.

• Administrative audit This audit assesses issues related to the efficiency of operation productivity within an organization.

• Information systems audit This process collects and evaluates evidence to determine whether information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that business, operation, and control objectives will be met.

• Compliance audit Compliance auditing involves an integrated series of activities focused on investigating and confirming whether products or services comply with internal policy or external guidelines or laws. Sarbanes-Oxley and the Health Insurance Portability Act are examples of external laws that require compliance.

Per ISACA, a CISA candidate will not be asked about specific laws or regulations but may be questioned about how one would audit for compliance with laws and regulations. The examination tests knowledge of only accepted global practices.