An information system (IS) audit or information technology(IT) audit is an examination of the controls within an entity's Information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
We collect and evaluate the evidence of an organization's information systems, practices, and operations. Obtain evidence whether the organization's information systems safeguard assets, maintains data integrity, and are operating effectively and efficiently to achieve the organization's goals or objectives.
In this phase we plan the information system coverage to comply with the audit objectives specified by the Client and ensure compliance to all Laws and Professional Standards. The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the management responsibility, authority and accountability of the Information Systems Audit function.
We follow a risk-based audit approach. This approach is used to assess risk and to assist an IS auditor’s decision to do either compliance testing or substantive testing. In a risk based audit approach, IS auditors are not just relying on risk. They are also relying on internal and operational controls as well as knowledge of the organisation.
In this phase we conduct the audit, collect the evidence and document our audit work. We achieve this objective through:
Establishing an Internal Review Process where the work of one person is reviewed by another, preferably a more senior person.
We obtain sufficient, reliable and relevant evidence to be obtained through Inspection, Observation, Inquiry, Confirmation and recomputation of calculations
We document our work by describing audit work done and audit evidence gathered to support the auditors’ findings
Upon the performance of the audit, the QRC Information Systems Auditor is produces and appropriately report the results of the IS Audit.