Summary ISACA : Information Systems Auditing: Tools and Techniques Creating Audit Programs

Information
Systems Auditing:
Tools and Techniques
Creating Audit Programs



Abstract
Information systems audits can provide a multitude of benefits to an enterprise by ensuring the effective, efficient, secure and reliable
operation of the information systems so critical to organizational success. The effectiveness of the audit depends, in large part, on the
quality of the audit program.

,Information Systems Auditing: Tools and Techniques—Creating Audit Programs Table of Contents




TABLE OF CONTENTS
Introduction...................................................................................................................................................................3
Purpose of This Publication.........................................................................................................................................3
Audience......................................................................................................................................................................3
Scope and Approach....................................................................................................................................................3
Terminology..................................................................................................................................................................4

The Audit Process..........................................................................................................................................................5

Audit and Assurance Programs.....................................................................................................................................8
Objectives of Developing Audit and Assurance Programs..........................................................................................8
Minimum Skills to Develop an Audit and Assurance Program................................................................................... 9
Steps to Develop an Audit and Assurance Program.................................................................................................... 9

Appendix A—List of Resources...................................................................................................................................16
ISACA Resources......................................................................................................................................................16
Additional Resources..................................................................................................................................................16




©2016 Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. 2

, Information Systems Auditing: Tools and Techniques—Creating Audit Programs Introduction




INTRODUCTION
Organizations undertake audits for many reasons. An audit can help the enterprise ensure effective operations and
attest to its compliance with administrative and legal regulations. It can confirm for management that the business
is functioning well and is prepared to meet potential challenges. Perhaps most important, it can assure stakeholders
of the financial, operational and ethical well-being of the organization. Information systems (IS) audits support all
those outcomes, with a special focus on the information and related systems upon which most businesses and public
institutions depend for competitive advantage.

Achievement of the many benefits that can accrue to an effective audit depends on proper and thorough planning of
the audit engagement. The scope and the objective of the audit must be understood and accepted by both the auditor
and the area being audited. Once the purpose for the audit is clearly defined, the audit plan can be created, which
will encapsulate the agreed scope, objectives and procedures needed to obtain evidence that is relevant, reliable and
sufficient to draw and support audit conclusions and opinions.

An important component of the audit plan is the audit program, also known as work program. The audit program
is commonly used to document the specific procedures and steps that will be used to test and verify control
effectiveness. The quality of the audit program has a significant impact on the consistency and quality of the audit
results, so it is imperative that IS auditors understand how to develop comprehensive audit programs.

Purpose of This Publication
The purpose of this publication is to provide a basic understanding of the steps necessary to develop comprehensive
audit programs that clearly and consistently document the procedures that will be used to test controls and gather
supporting data. This guide is also intended to help audit/assurance professionals develop audit programs that
comply with generally accepted audit standards, especially those issued by ISACA,1 the Public Company Accounting
Oversight Board (PCAOB),2 the Institute of Internal Auditors (IIA),3 and the American Institute of Certified Public
Accountants (AICPA).4

This publication is not intended to provide technical guidance on how to audit specific technologies.

Audience
This guide is intended primarily for IS and non-IS audit/assurance professionals who need to gain an understanding
about the process to develop audit programs for IS audit engagements. This guide is also beneficial for
audit/assurance professionals who wish to enhance their skills in developing IS audit programs.

Scope and Approach
This publication is intended to provide practical guidance to develop audit programs from the ground up. The guide
has been organized into three main areas:
• Audit process overview
• Steps to develop an audit program
• List of resources

In addition, other audit program resources are available from ISACA at www.isaca.org/creating-audit-programs,
including a Sample Audit Program document and an Infographic—Step-by-Step Audit Plan Activities.
1
ISACA, ITAFTM: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, USA, 2014,
www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/Pages/default.aspx
2
PCAOB, General Audit Standards, AS 2101: Audit Planning, USA, 2015, http://pcaobus.org/Standards/Auditing/Pages/AS2101.aspx
3
The IIA, International Standards for the Professional Practice of Internal Auditing (Standards), USA, revised 2012,
https://na.theiia.org/standards-guidance/Public%20Documents/IPPF%202013%20English.pdf
4
AICPA, Due Professional Care in the Performance of Work, AU-C Section 300, Planning an Audit, USA, 2015,
www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C-00300.pdf

©2016 Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. 3