IT audits help enterprises ensure the effective, efficient, secure, and reliable operation of the information technology that is critical to organizational success. The effectiveness of the audit depends largely on the quality of the audit program. The audit process consists of three phases: planning, fieldwork/documentation (acquiring data, testing controls, issue discovery and validation, documenting results) and reporting/follow-up (gathering report requirements, drafting the report, issuing the report and follow-up). The planning phase consists of five key steps:
Determine audit subject.
Define audit objective.
Audit processes are clearly defined by phase with activities clearly described.
Set audit scope.
A clear scope helps the auditor determine the testing points relevant to the audit’s objective.
Perform pre-audit planning.
Pre-audit planning includes tasks such as conducting a risk assessment, identifying regulatory compliance requirements, and determining the resources that will be needed to perform the audit.
Determine audit procedures and steps for data gathering.
This involves activities such as obtaining departmental policies for review, developing methodology to test and verify controls, and developing test scripts plus criteria to evaluate the test.
IT audit programs indicate three key success elements: standard frameworks, the operating environment of the entity under review, and the audit process used internally.