1.9. Fieldwork

IS audit fieldwork is performed to ensure that the business needs are being met through the systems, processes, and IT infrastructure and their associated controls. This is accomplished by challenging the effectiveness of existing controls and by identifying the need for improved controls to meet the control objectives. Fieldwork is associated with every program step in the audit program. It represents testing that looks at the controls in a particular place at a point in time. If the audit scope covers a span of time, evidence will need to be gathered that represents that particular span of time. If the audit time frame is inclusive of the present, then what is observed and the evidence that is gathered is representative of what should be concluded on during the present, regardless of whether issues are corrected or changed during the audit. Professional judgment will be called to the test here once again.

Once a program has been further delineated into program steps in some structure, the auditor must decide how best to obtain the information and evidence necessary to opine on the condition of the controls.

1.9.1. Control Objectives and Audit Approach

A typical audit program section will identify the control objectives that must be met and will target a particular process that must be reviewed for that objective. Using the planning and risk assessment and control objective information gathered earlier, you should already have preliminary information available ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.