Chapter Four

Information Systems Audit Requirements

IN THIS CHAPTER WE discuss the critical requirements of an information systems audit in terms of both input and delivery. After reading this chapter, you should develop a comprehensive understanding of the general scope of an information systems audit, types of evidences, and areas that an information systems auditor must focus on.


The scope of an information systems audit includes verifying the existence and performance of controls. The selection of the controls to test remains a critical decision for the information systems auditor and will have a major role in determining the quality of the audit. In order to ensure adequate coverage of testing, the auditor is required to prioritize testing of controls. Prioritization essentially depends on the corresponding loss exposure to the auditee in the event of the failure of a specific control. The likelihood of a control failing, and even being activated, is uncertain. This calls for a risk analysis exercise on the part of the auditor. Risk is the likelihood that the entity would face a vulnerability being exploited or a threat becoming harmful. Vulnerability is the inherent weaknesses of a system or process that can be exploited by a threat. Threats stand for uncertain events that can cause loss to the entity. The threats exploit the gap between the level of protection necessary and the degree of protection achieved. Once an entity is aware of the potential loss, it ...

Get Understanding and Conducting Information Systems Auditing + Website now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.