Meet with relevant managers and employees to understand:
Risks related to good business needs;
Organizational structure;
Roles and responsibilities;
Policies and procedures;
Laws and regulations;
Existing control measures;
Management reports (status, performance, action items). ?
Record IT resources related to the process, especially those affected by the audited IT process. Confirm the understanding of the audit process, process key performance indicators (KPI) and actual control status. For example, you can understand the process through spot checks. ?
Second, evaluation control? This audit step is used to evaluate the effectiveness of existing control measures or the degree of achieving control objectives, and mainly decide what to test, whether to test and how to test. ?
By comparing the established standards with industry best practices, critical success factors (CSF) of control methods and professional judgment of auditors, the applicability of control measures applied in the process to be audited is evaluated.
There is a documented process.
Have a suitable output
The responsibilities are clear and effective.
When necessary, there is compensation control.
Draw the conclusion of controlling the realization degree of the goal. ?
Third, assess compliance? This audit step is used to ensure that the established control measures work consistently in the way specified by the organization, and draw a conclusion on the applicability of the control environment. Obtain direct or indirect evidence of selected projects and stages, and use direct and indirect evidence to ensure that the audited projects and stages always meet the requirements of relevant control procedures. ?
Conduct limited audit on the adequacy of process output results. ?
To prove that IT processes are separated, determine the degree of substantive testing and other work that needs to be completed. ?
Fourth, confirm the risk? This audit step identifies the risks when the control objectives are not achieved by using analytical techniques and optional consulting resources. The goal is to support its audit judgment and urge managers to take action. Auditors should creatively find and present usually sensitive and confidential information. ?
Document control weaknesses and the threats and vulnerabilities they cause. ?
Identify and record actual and potential impacts, for example, by using the method of causal analysis. Provide comparative information. Such as benchmarking.