1) survey
This audit step is used to record related activities under control objectives, determine the control measures and procedures that the organization claims to have implemented, and confirm their existence.
Meet with relevant managers and employees to understand:
Business requirements and related risks.
Organizational structure.
Roles and responsibilities.
Policies and procedures.
Laws and regulations.
Existing control measures.
Management reports (status, performance, action items).
Record IT resources related to the process, especially those affected by the audited IT process. Confirm the understanding of the audit process, process key performance indicators (KPI) and actual control status. For example, you can understand the process through spot checks.
2) Evaluation control
This audit step is used to evaluate the effectiveness of existing control measures or the degree of achieving control objectives, and mainly decide what to test, whether to test and how to test.
By comparing the established standards with industry best practices, critical success factors (CSF) of control methods and professional judgment of auditors, the applicability of control measures applied in the process to be audited is evaluated.
There is a documented process.
There is a suitable output.
The responsibilities are clear and effective.
When necessary, there is compensation control.
Draw a conclusion on the degree of realization of control objectives.
3) Assess compliance
This audit step is used to ensure that the established control measures work consistently in the way specified by the organization, and draw a conclusion on the applicability of the control environment.
Obtain direct or indirect evidence of selected projects and stages, and use direct and indirect evidence to ensure that the audited projects and stages always meet the requirements of relevant control procedures.
Limited audit of the adequacy of process output results.
To prove that IT processes are separated, determine the degree of substantive testing and other work that needs to be completed.
4) Confirm risks
This audit step identifies the risks when the control objectives are not achieved by using analytical techniques and optional consulting resources. The goal is to support its audit judgment and urge managers to take action. Auditors should creatively find and present usually sensitive and confidential information.
Record control weaknesses and the threats and loopholes they cause.
Identify and record actual and potential impacts, for example, using the method of causal analysis.
Provide comparative information. Such as benchmarking.
In the era of high-speed information explosion, information system audit ensures the reliability of online and real-time information, which is helpful to the development of the whole market economy. The above is the process of Xinwei information system in the era of popular science audit for you. More exciting content, please continue to pay attention to us.