Reviewing the Audit

Previous page
Table of content
Next page

An important step before developing the audit conclusions is to evaluate the evidence gathered for strengths and weaknesses. The auditor must make judgments based primarily on experience. This review process is critical to the outcome of the findings and recommendations. ISACA's standard for IS auditing 030.020, Professional Care guides the auditor while performing the audit, along with the determination of strengths and weaknesses of the evidence.

The IS auditor might need a high degree of specialized technical proficiency and might need to provide consulting or advisory services with regard to the findings and recommendations. Auditors do not produce an opinion; they simply provide a summary of the work performed in connection with the engagement. The IS auditor might provide the following services:

  • Systems implementation reviews

  • Enterprise resource-planning implementations

  • Security reviews (Enterprise, SAP, Oracle, Peoplesoft)

  • Database application reviews

  • IT infrastructure and improvements needed for engagements

  • Project-management reviews

  • IT internal audit services

The auditor can use the control matrix to assess the proper level of controls. The control matrix is created during the planning stages of the audit and encompasses known errors and known controls to detect errors. During the audit and review, the auditor will find both strong and weak controls, which should all be considered when evaluating the overall structure. A weak control in one area might be compensated for by a stronger control in another area.

In today's complex IT environment, it is common to find overlapping or compensating controls. IT managers and technical resources frequently employ defense-in-depth strategies, which are based on layered sets of controls that often compensate for each other. It is important for the auditor to recognize the relationship and overall effect of compensating controls before reporting a weakness.

Part of the review pertains to the materiality of the evidence. The question of materiality is based on the auditor's judgment but should be also based on the determination of what information would be pertinent to the different levels of management that the audit findings and recommendations will be communicated to.

As an example, an access-control weakness on a standalone computer at a remote site will be material to management at that site but might not be material to management at headquarters.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Data Structures and Algorithms in Java
MySQL Cookbook
Competency-Based Human Resource Management
Microsoft WSH and VBScript Programming for the Absolute Beginner
Cultural Imperative: Global Trends in the 21st Century
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy