Domain 1: Part 2 (Audit Evidence Collection Techniques)

Evidence

• any information used by an IS auditor to determine whethe rthe entity or data being audited follows the established criteria or objectives and supports audit conclusions

• includes

  • is auitors observations

  • notes taken from interviews

  • results of independence confirmations

  • materak extracted from correspondence with external partners

  • results of audit test procedures

• is auditor must focus on the objectives of the audit and not on the nature of this

• considered competent when it is both valid and relevant

Reliability of audit

Determined by

• independence and qualifications of the evidence provider

• objectivity and timing of the evidence

Reviewing IS

Techniques for Gathering Evidence

• organization structures

  • assess the level of control the org provides

• policies and procedures

  • verify that management assumes full responsibility for creation and controlling policies containing general aims and directives

• standard

  • understand the existing standards in place

• documentation

  • first step in doing this is to understand existing documentation in place

  • documentation can be a hard copy or stored electronically

    • controls to preserve this should evaluated

Interview appropriate personnel

Techniques for Gathering Evidence

• interview form + checklist is a good approach

• personnel interviews are discovery in nature and should never be accusatory

Observe process and employee performance

Techniques for Gathering Evidence

• audit report may not be timely and so the use of interim report

• documentary evidence may be considered

Reperformance

Techniques for Gathering Evidence

• provides better evidence than other techniques

• used when combination of inquiry, observation, and examination of evidence does not suffice

Walk-through

Techniques for Gathering Evidence

• confirm the understanding of controls

Interviews and observation

Doing this at personnel in the performance of their duties assists an IS auditor in identifying

• actual functions

  • confirms that the individual assigned to perform a function is actually the one doing the job. witnesses how policies are being understood and practiced

• actual processes/procedures

  • performing a walkthrough of processes allows the obtaining evidence of compliance and observe deviations. useful for physical controls

• security awareness

  • this should be observed to determine individuals understanding of good preventative and detective security measures

• reporting relationships

  • should be observed to ensure that assigned responsibilities and SoD are being practiced

• observation drawbacks

  • observer may interfere with the observed environment. personnel notice they are being interviewed and changes behavior