Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

IT Audit Procedures and Question to Ask

Hi to you all,
I am planning an IT/IS Audit for a financial institution.The first thing i need to do is to understand the business. My question is what kind of questions do i ask Senior Management during the fact gathering face. Do i have to rely solely on the Policies of the organisation?


Thanks
You must sign in to rate content.
(Unrated)

Comments

RE: IT Audit Procedures and Question to Ask

Hi to you all,
I am planning an IT/IS Audit for a financial institution.The first thing i need to do is to understand the business. My question is what kind of questions do i ask Senior Management during the fact gathering face. Do i have to rely solely on the Policies of the organisation?


Thanks
Seyram676 at 1/25/2016 3:57:51 AM
You can also ask:
  • What business objectives that senior management try to achieve these 1-3 years, and how would IT/IS audit help to achieve these goals?
  • What are the concerning areas that he/she see (or need improvement) at this point of time and near future?
FeHaEnergizer at 1/25/2016 4:29:52 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Hello Seyram

I also recommend you, to talk, if you have the opportunity, with other top manager of the company, so you will be able to reach information from different perspectives.

Yo can ask about their strategic planning too, and how it is related with the system you will be auditing.

Regards.
Samantha M. at 1/26/2016 9:33:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676Energizer at 1/27/2016 4:39:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
When it comes to the discussion of how audit can support the achievement of business objectives, for me personally Policies should come second. Because policies in this context should be seen as means to help the business achieve its goals, and not the goals itself.

If policies do not exist, you can always recommend the management to define them. But be more specific to which extent these policies are required to, again, support business goals. No business love to have more policies that do not contribute anything to their needs.  
FeHaEnergizer at 1/28/2016 8:47:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
Concerning the review of enterprise and IT/IS policies, what I have come to realise is that for most environments what you see in practice may be different from what the policies state. As Samantha and FeHa have stated, a good starting point is to interview top/executive management to obtain an understanding of their strategic objectives (covering say, a 5 year period), and identify the areas where IT/technology is enabling these objectives. You may then assess what is being done against the policy statements and then it becomes clearer what your audit strategy should be.

Where there are no policies in place, the interviews with top management should be performed still. You may then discuss recommendations with executive management to develop policies (enterprise and IT) that tie to the business objectives. Bear in mind that the IT policies must align with the enterprise policies for the organization to derive any value. 

Hope this helps.
Adeola0201 at 1/28/2016 4:50:58 PM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
Concerning the review of enterprise and IT/IS policies, what I have come to realise is that for most environments what you see in practice may be different from what the policies state. As Samantha and FeHa have stated, a good starting point is to interview top/executive management to obtain an understanding of their strategic objectives (covering say, a 5 year period), and identify the areas where IT/technology is enabling these objectives. You may then assess what is being done against the policy statements and then it becomes clearer what your audit strategy should be.

Where there are no policies in place, the interviews with top management should be performed still. You may then discuss recommendations with executive management to develop policies (enterprise and IT) that tie to the business objectives. Bear in mind that the IT policies must align with the enterprise policies for the organization to derive any value. 

Hope this helps.
Adeola0201 at 1/28/2016 4:50:58 PM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
When it comes to the discussion of how audit can support the achievement of business objectives, for me personally Policies should come second. Because policies in this context should be seen as means to help the business achieve its goals, and not the goals itself.

If policies do not exist, you can always recommend the management to define them. But be more specific to which extent these policies are required to, again, support business goals. No business love to have more policies that do not contribute anything to their needs.  
FeHaEnergizer at 1/28/2016 8:47:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676Energizer at 1/27/2016 4:39:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Hello Seyram

I also recommend you, to talk, if you have the opportunity, with other top manager of the company, so you will be able to reach information from different perspectives.

Yo can ask about their strategic planning too, and how it is related with the system you will be auditing.

Regards.
Samantha M. at 1/26/2016 9:33:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Hi to you all,
I am planning an IT/IS Audit for a financial institution.The first thing i need to do is to understand the business. My question is what kind of questions do i ask Senior Management during the fact gathering face. Do i have to rely solely on the Policies of the organisation?


Thanks
Seyram676 at 1/25/2016 3:57:51 AM
You can also ask:
  • What business objectives that senior management try to achieve these 1-3 years, and how would IT/IS audit help to achieve these goals?
  • What are the concerning areas that he/she see (or need improvement) at this point of time and near future?
FeHaEnergizer at 1/25/2016 4:29:52 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Hi to you all,
I am planning an IT/IS Audit for a financial institution.The first thing i need to do is to understand the business. My question is what kind of questions do i ask Senior Management during the fact gathering face. Do i have to rely solely on the Policies of the organisation?


Thanks
Seyram676 at 1/25/2016 3:57:51 AM
You can also ask:
  • What business objectives that senior management try to achieve these 1-3 years, and how would IT/IS audit help to achieve these goals?
  • What are the concerning areas that he/she see (or need improvement) at this point of time and near future?
FeHaEnergizer at 1/25/2016 4:29:52 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Hello Seyram

I also recommend you, to talk, if you have the opportunity, with other top manager of the company, so you will be able to reach information from different perspectives.

Yo can ask about their strategic planning too, and how it is related with the system you will be auditing.

Regards.
Samantha M. at 1/26/2016 9:33:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676Energizer at 1/27/2016 4:39:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
When it comes to the discussion of how audit can support the achievement of business objectives, for me personally Policies should come second. Because policies in this context should be seen as means to help the business achieve its goals, and not the goals itself.

If policies do not exist, you can always recommend the management to define them. But be more specific to which extent these policies are required to, again, support business goals. No business love to have more policies that do not contribute anything to their needs.  
FeHaEnergizer at 1/28/2016 8:47:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: IT Audit Procedures and Question to Ask

Thanks Samantha and FeHa for your response. If i may ask, is it that very important and necessary to go through the organisations Enterprise Policies as well as IS Policies if any exist. What if none of these policies does not exist, What do i do then as the IS auditor.

Thanks
Seyram676 at 1/27/2016 4:39:04 AM
Concerning the review of enterprise and IT/IS policies, what I have come to realise is that for most environments what you see in practice may be different from what the policies state. As Samantha and FeHa have stated, a good starting point is to interview top/executive management to obtain an understanding of their strategic objectives (covering say, a 5 year period), and identify the areas where IT/technology is enabling these objectives. You may then assess what is being done against the policy statements and then it becomes clearer what your audit strategy should be.

Where there are no policies in place, the interviews with top management should be performed still. You may then discuss recommendations with executive management to develop policies (enterprise and IT) that tie to the business objectives. Bear in mind that the IT policies must align with the enterprise policies for the organization to derive any value. 

Hope this helps.
Adeola0201 at 1/28/2016 4:50:58 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.