Process Control and Audit Guidelines
AUDIT GUIDELINES
Level 1 General IT audit approach
COBIT Framework Audit Process Requirements Control Observations Generic Audit Guideline
Level 2 Process audit guidelines Level 3 Audit attention points to complement detailed control objectives
J Detailed Audit Guidelines
J Local Conditions
sector specific criteria industry standards platform specific elements detailed control techniques used
AUDIT PROCESS REQUIREMENTS
Having defined what we are going to audit and provide assurance on, we have to determine the most appropriate approach or strategy for carrying out our audit work. First we need to determine the correct scope of our audit. To achieve this we need to investigate, analyse and define: • the business processes concerned • the platforms and information systems which are supporting the business process as well as interconnectivity with other platforms or systems • the IT roles and responsibilities defined, including what has been in- or out-sourced • associated business risks and strategic choices
The next step is to identify the information requirements which are of particular relevance with respect to the business processes. Then we will need to identify the inherent IT risks as well as overall level of control which can be associated with the business process. To achieve this we identify: • recent changes in the business environment having an IT impact • recent changes to the IT environment, new developments, etc. • recent incidents relevant to the controls and business environment • IT monitoring controls applied by management • recent audit and/or certification reports • recent results of self assessments
22
IT GOVERNANCE INSTITUTE
AUDIT GUIDELINES
On the basis of the information obtained, we can now select the relevant COBIT processes as well as the resources that apply to them. This could require that certain COBIT processes will need to be audited several times, each time for a different platform or system. One
Level 1 General IT audit approach
COBIT Framework Audit Process Requirements Control Observations Generic Audit Guideline
Level 2 Process audit guidelines Level 3 Audit attention points to complement detailed control objectives
J Detailed Audit Guidelines
J Local Conditions
sector specific criteria industry standards platform specific elements detailed control techniques used
AUDIT PROCESS REQUIREMENTS
Having defined what we are going to audit and provide assurance on, we have to determine the most appropriate approach or strategy for carrying out our audit work. First we need to determine the correct scope of our audit. To achieve this we need to investigate, analyse and define: • the business processes concerned • the platforms and information systems which are supporting the business process as well as interconnectivity with other platforms or systems • the IT roles and responsibilities defined, including what has been in- or out-sourced • associated business risks and strategic choices
The next step is to identify the information requirements which are of particular relevance with respect to the business processes. Then we will need to identify the inherent IT risks as well as overall level of control which can be associated with the business process. To achieve this we identify: • recent changes in the business environment having an IT impact • recent changes to the IT environment, new developments, etc. • recent incidents relevant to the controls and business environment • IT monitoring controls applied by management • recent audit and/or certification reports • recent results of self assessments
22
IT GOVERNANCE INSTITUTE
AUDIT GUIDELINES
On the basis of the information obtained, we can now select the relevant COBIT processes as well as the resources that apply to them. This could require that certain COBIT processes will need to be audited several times, each time for a different platform or system. One