REPORTING 1 Weaknesses

4.1.1 Weaknesses identified in the application review either due to an absence of controls or to non-compliance should be brought to the attention of the business process owner and to the IS management responsible for the support of the application.

G14 Application Systems Review cont.

Where weaknesses identified during the application systems review are considered to be significant or material, the appropriate level of management should be advised to undertake immediate corrective action.

4.1.2 Since effective computerized application controls are dependent on general IT controls, weaknesses in this area should also be reported. In the event that general IT controls were not reviewed, this fact should be included in the report.

4.1.3 The IS auditor should include appropriate recommendations to strengthen controls in the report.

5. EFFECTIVE DATE

5.1 This guideline is effective for all IS audits beginning on or after 1 November 2001. The guideline has been reviewed and updated effective 1 December 2008.

1. BACKGROUND

1.1 Linkage to ISACA Standards

1.1.1 Standard S5 Planning states, "The IS auditor should plan the information systems audit coverage to address the audit objectives and to comply with applicable laws and professional auditing standards."

1.2 Need for Guideline

1.2.1 The purpose of this guideline is to define the components of the planning process as stated in standard S5 of the IS Auditing Standards.

1.2.2 This guideline also provides for planning in the audit process to meet the objectives set by COBIT®_.

2. PLANNING

2.1 Business Requirements

2.1.1 This guideline relates to a specific auditing project rather than the complete plan of an audit department or group.

2.1.2 The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee relevant to the audit area and its technology infrastructure. Where appropriate, the IS auditor should also consider the area under review and its relationship to the organisation (strategically, financially and/or operationally) and obtain information on the strategic plan, including the IS strategic plan.

2.1.3 The IS auditor should have an understanding of the auditee’s information architecture and the auditee’s technological direction to be able to design a plan appropriate for the present and, where appropriate, future technology of the auditee.

2.1.4 Terms of reference should be part of the audit plan.

2.1.5 A risk assessment and prioritisation of identified risks for the area under review and the organisation’s IS environment should be carried out to the extent necessary. See the IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning.

2.2 Knowledge of the Organisation

2.2.1 Before beginning an auditing project, the work of the IS auditor should be planned in a manner appropriate for meeting the audit objectives. As a part of the planning process IS auditors should obtain an understanding of the organisation and its processes. In addition to giving the IS auditor an understanding of the organisation's operations and its IS requirements, this will assist the IS auditor in determining the significance of the IS resources being reviewed as they relate to the objectives of the organisation. IS auditors should also establish the scope of the audit work and perform a preliminary assessment of internal control over the function being reviewed.

2.2.2 The extent of the knowledge of the organisation and its processes required by the IS auditor will be determined by the nature of the organisation and the level of detail at which the audit work is being performed. The IS auditor may require specialised knowledge when dealing with unusual or complex operations. A more extensive knowledge of the organisation and its processes will ordinarily be required when the audit objective involves a wide range of information system functions rather than when the objectives are for limited functions. For example, a review with the objective of evaluating control over an organisation's payroll system would ordinarily require a more thorough understanding of the organisation than a review with the objective of testing controls over a specific program library system.

2.2.3 The IS auditor should gain an understanding of the types of events, transactions and practices that can have a significant effect on the specific organisation, function, process or data that is the subject of the auditing project. Knowledge of the organisation should include the business, financial and inherent risks facing the organisation as well as conditions in the organisation's marketplace. It should also include the extent to which the organisation relies on outsourcing to meet its objectives. The IS auditor should use this information in identifying potential problems, formulating the objectives and scope of the work, performing the work and considering actions of management for which the IS auditor should be alert.

2.3 Materiality

2.3.1 In the planning process, the IS auditor should ordinarily establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently. For example, in the review of an existing system the IS auditor will evaluate materiality of the various components of the system in planning the audit programme for the work to be performed. The IS auditor should consider both qualitative and quantitative aspects in determining materiality. For further information on materiality, see the IS Auditing Guideline G6 Materiality Concepts for Auditing Information Systems.

2.4 Risk Assessment

2.4.1 An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.

G15 Planning cont.

2.5 Internal Control Evaluation

2.5.1 Auditing projects should include consideration of internal controls either directly as a part of the auditing project objectives or as a basis for reliance upon information being gathered as a part of the auditing project. Where the objective is evaluation of internal controls the IS auditor should consider the extent to which it will be necessary to review such controls. When the objective is to assess the effectiveness of controls over a period of time the audit plan should include procedures appropriate for meeting the audit objectives, and these procedures should include compliance testing of controls. When the objective is not to assess the effectiveness of controls over a period of time, but rather to identify control procedures at a point in time, compliance testing of controls may be excluded.

2.5.2 When the IS auditor evaluates internal controls for the purpose of placing reliance on control procedures in support of information being gathered as part of the audit, the IS auditor should ordinarily make a preliminary evaluation of the controls and develop the audit plan on the basis of this evaluation. During a review, the IS auditor will consider the appropriateness of this evaluation in determining the extent to which controls can be relied upon during testing. For example, in using computer programs to test data files, the IS auditor should evaluate controls over program libraries containing programs being used for audit purposes to determine the extent to which the programs are protected from unauthorised modification.

3. DOCUMENTATION