IS Auditing Guideline: G5 Audit Charter 

 
Follow us:
        

  Download (47K)

1. BACKGROUND

1.1 Linkage to Standards

1.1.1 Standard S1 Audit Charter states ‘The responsibility, authority and accountability of the information systems audit function or information audit assignments should be appropriately documented in an audit charter or engagement letter’.

1.2 Linkage to COBIT

1.2.1 ME 4.7 Independent assurance states ‘…Provide the board with timely independent assurance about the compliance of IT with its policies, standards and procedures, as well as with generally accepted practices’.
1.2.2 ME 2.5 Assurance of internal control states ‘Obtain, as needed, further assurance of the completeness and effectiveness on internal controls through third-party reviews’.

1.3 Need for Guideline

1.3.1 The purpose of this guideline is to assist the IS auditor to prepare an audit charter to define the responsibility, authority and accountability of the IS audit function. This guideline is aimed primarily at the internal IS audit function; however, aspects could be considered for other circumstances.
1.3.2 This guideline provides guidance in applying IS auditing standards. The IS auditor should consider it in determining how to achieve implementation of the above standard, use professional judgement in its application and be prepared to justify any departure.

2. AUDIT CHARTER

2.1 Mandate

2.1.1 The IS auditor should have a clear mandate to perform the IS audit function. This mandate is ordinarily documented in an audit charter that should be formally accepted. Where an audit charter exists for the audit function as a whole, the IS audit mandate should be incorporated.

2.2 Contents of the Audit Charter

2.2.1 The audit charter should clearly address the four aspects of purpose, responsibility, authority and accountability. Aspects to consider are set out in the following sections.
2.2.2 Purpose:

  • Role
  • Aims/goals
  • Mission statement
  • Scope
  • Objectives
2.2.3 Responsibility:
  • Operating principles
  • Independence
  • Relationship with external audit
  • Auditee requirements
  • Critical success factors
  • Key performance indicators
  • Risk assessment
  • Other measures of performance
2.2.4 Authority:
  • Right of access to information, personnel, locations and systems relevant to the performance of audits
  • Scope or any limitations of scope
  • Functions to be audited
  • Auditee expectations
  • Organisational structure, including reporting lines to board and senior management
  • Grading of IS audit staff
2.2.5 Accountability:
  • Reporting lines to senior management
  • Assignment performance appraisals
  • Personnel performance appraisals
  • Staffing/career development
  • Auditee rights
  • Independent quality reviews
  • Assessment of compliance with standards
  • Benchmarking performance and functions
  • Assessment of completion of the audit plan
  • Comparison of budget to actual costs
  • Agreed actions, e.g., penalties when either party fails to carry out their responsibilities

2.3 Communication With Auditees

2.3.1 Effective communication with auditees involves:

  • Describing the service, its scope, its availability and timeliness of delivery
  • Providing cost estimates or budgets if they are available
  • Describing problems and possible resolutions for them
  • Providing adequate and readily accessible facilities for effective communication
  • Determining the relationship between the service offered and the needs of the auditee
2.3.2 The audit charter forms a sound basis for communication with auditees and should include references to service level agreements for such things as:
  • Availability for unplanned work
  • Delivery of reports
  • Costs
  • Response to auditee complaints
  • Quality of service
  • Review of performance
  • Communication with auditees
  • Needs assessment
  • Control risk self-assessment
  • Agreement of terms of reference for audits
  • Reporting process
  • Agreement of findings

2.4 Quality Assurance Process

2.4.1 The IS auditor should consider establishing a quality assurance process (e.g., interviews, customer satisfaction surveys, assignment performance surveys) to understand auditees’ needs and expectations relevant to the IS audit function. These needs should be evaluated against the charter with a view to improving the service or changing the service delivery or audit charter, as necessary.

3. ENGAGEMENT LETTER

3.1 Purpose

3.1.1 Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between external IS audit and an organisation.

3.2 Content

3.2.1 The engagement letter should clearly address the three aspects of responsibility, authority and accountability. Aspects to consider are set out in the following paragraphs.
3.2.2 Responsibility:

  • Scope
  • Objectives
  • Independence
  • Risk assessment
  • Specific auditee requirements
  • Deliverables
3.2.3 Authority:
  • Right of access to information, personnel, locations and systems relevant to the performance of the assignment
  • Scope or any limitations of scope
  • Evidence of agreement to the terms and conditions of the engagement
3.2.4 Accountability:
  • Intended recipients of reports
  • Auditee rights
  • Quality reviews
  • Agreed completion dates
  • Agreed budgets/fees if available

4. EFFECTIVE DATE

4.1 This guideline is effective for all IS audits beginning on or after 1 September 1999. The guideline has been reviewed and updated effective 1 February 2008.