ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Going Beyond an Audit Checklist

Going Beyond an Audit Checklist

Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP
| Published: 1/25/2016 3:04 PM | Permalink | Email this Post | Comments (3)

I recently conducted an internal auditor training program for a major firm in India. One of the questions asked during the course of the training was regarding audit checklists. The participant wanted to know if an IS auditor really needed a checklist during the course of a systems audit. He also said that some auditors in the past sent him the checklist to obtain his responses, and some only asked the questions mentioned in the checklist. He felt that auditing was a bit boring as it was just about checking a few things, filling out a checklist and submitting a report. Here I had a participant who was not at all happy about the state of audit.

I had to explain to him that IS auditing is not just about preparing and completing a checklist and submitting a report. An audit checklist is a useful tool, but no auditor needs to be confined to the questions in the checklist. A checklist is useful to ascertain that the auditor does not miss reviewing any important and significant areas as agreed upon in the scope of the audit engagement. I showed the participant how complex the IT setup can be and quickly gave an overview of ISO27001 and COBIT as reference guides to explain to him all the items an auditor can assess during a systems audit. When I explained the concept of risk and value for IT controls, he was able to appreciate the value that an auditor can bring to an enterprise.

Whether auditors need to carry a checklist during systems audit is their choice, but what is more important is the overall audit process that the auditor follows. Auditors are appreciated when they perform an objective assessment of the environment from a risk and value perspective. Merely asking questions is not what auditing is about. Auditors need the skills to obtain evidence from complex IT systems within the context of a client's business to reach a conclusion.

So here comes the challenge—if concerned auditors do not have a fair idea about client business processes and are not confident with the technology environment of the customer, then they should enlist the help of senior auditors who have such skill sets. Auditors need to go beyond the checklist to assess an IT setup, as no single checklist is enough for a variety of IT setups.

There are many other perceptions and unpopular beliefs regarding the IS audit profession, such as audit is a fault-finding mission, audit is a post-mortem exercise, auditors make recommendations that are not practical or auditors are scary. All of these issues can be addressed when auditors understand the business processes of the client, understand the client culture, conduct audits as per standard audit practices, involve the right competent audit professionals for any engagement, and submit reports with proper sign-off from the auditees with recommendations that do, in fact, add value to the business.

Read Sanjiv Agarwala’s recent Journal article:
How to Be the Most Wanted IS Auditor,” ISACA Journal, volume 1, 2016.


Feedback on Sanjiv Agarwala

This is an excellent policy and philosophy to follow. Back in early "SOX" days I brought my COBIT and COSO manuals with me to an audit and stunned those being audited. Not good. Then I tried checklists, some from ISACA seminars, some I prepared. Too much of what I needed for the particular company was not on the checklists. Obviously the best approach is this one. Explain what the Audit could cover and then what this one will be covering. Also, learn the client business processes and tech environment or get help with those ahead of time (if possible). You cannot audit what you do not know.
HelenMeyer at 1/26/2016 1:59 PM


I completely agree with Sanjiv & Halen
Ramakrishna328 at 2/3/2016 1:01 AM

Thanks for the feedback

Thanks HelenMeyer for your feedback and also sharing one of yours real life audit experience. Thanks Ramakrishna328 for your comment.
SKA at 2/14/2016 8:16 PM