Chapter Five

Conducting an Information Systems Audit

IN THIS CHAPTER WE learn about the process of conducting an information systems audit. An overview of an audit program is offered: the plan and procedure, compliance and substantive testing, testing tools, and the process of reporting. An audit workflow is presented in detail at the end of the chapter. This chapter enables us to be in a position to understand how the entire auditing process is conducted.


Preparing an audit program is the first step of conducting an information systems audit. The various activities involved in defining an audit program include the following procedures.

Audit Checklists

Audit checklists are necessary to perform an effective and efficient audit. Audit checklists are essentially lists of various tests that auditors must perform in order to determine whether key controls intended to mitigate significant risks are functioning as designed. The ISecGrade framework involving usage of such checklists is provided in Chapter 12 of this book. Based on the results of the tests performed, the information systems auditor would be able to conclude on the adequacy of controls over a particular process or the system in its entirety.

Resource Planning

Audit programs help the information systems auditor to plan for required resources. After identifying the checklists necessary for conducting the audit, the information systems auditor may proceed to estimate the total number of hours needed to perform ...

Get Understanding and Conducting Information Systems Auditing + Website now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.