ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Simplified Audit Programs

Simplified Audit Programs

Paul Phillips
| Published: 9/15/2016 3:03 PM | Permalink | Email this Post | Comments (4)

Paul Phillips is technical research manager at ISACA.

Performing an audit can be a daunting task, especially for a new auditor. By the same token, performing the customary review of an audit can be challenging when one has not been intimately involved in the process.

ISACA has started the process of simplifying and reformatting the audit programs to make them more user-friendly. These programs are simpler for ease of use, and each control can be traced back to a COBIT 5 Process that provides more detail that may be helpful during an audit. The following 4 audit programs have been simplified/reformatted:  bring your own device (BYOD), cloud computing, IT risk management and change management. Traditionally, the audit programs have been in Microsoft Word, and while the content has not changed very much, the newly formatted audit programs are now in Microsoft Excel. Now, instead of continuous scrolling to locate a particular process, each has its own worksheet and has been clearly labelled. The first worksheet of each audit program has instructions on how to use each column. There are 13 columns. The following lists each column along with a brief description: 

  • Process sub-area—To make the audit program manageable, it is recommended to break out the scope of the audit into sub-areas. The auditor can modify this field to entity-specific names and terms. ISACA employed the most commonly used terms as the basis to develop this audit program.
  • Ref. risk—This field can be used to input a reference/link to risk described in the entity's risk register or enterprise risk management (ERM) system or to input a description of the risk a particular control is intended to address.
  • Control objectives—This field should describe the behaviors, technologies, documents or processes expected to be in place to address the inherent risk that is part of the audit scope.
  • Controls—This field should describe in detail the control activities expected to be in place to meet the control objective. Control activities can be in roles and responsibilities, documentation, forms, reports, system configuration, segregation of duties, and approval matrices.
  • Control type—Specify whether the control under review is automated, manual, physical or a combination. This information is useful in determining the testing steps necessary to obtain assessment evidence.
  • Control classification—Specify whether the control under review is preventive, detective, corrective or compensating. This information will be helpful when defining testing steps and requesting evidence.
  • Control frequency—Specify whether the control under review occurs in real time, daily, weekly, monthly or annually. This information will be helpful when defining testing steps and requesting evidence.
  • Testing step—This field should describe in detail the steps necessary to test control activities and collect supporting documentation. The auditor can modify this field to meet entity-specific needs. ISACA has used a set of generic steps to develop this audit program.
  • Ref. COBIT 5—Input the COBIT 5 process or practice that relates to this control.
  • Ref. framework/standards—Input references to other frameworks used by the entity as part of their compliance program.
  • Ref. workpaper—Specify the location of supporting documentation detailing the audit steps and evidence obtained.
  • Pass/Fail—Specify whether the overall control is effective (pass) or not effective (fail) based on the results of the testing.
  • Comments—Document any notes related to the review of this process sub-area or specific control activities.

Eight of the columns allow the audit professional to insert information that may be helpful during the review of the audit. Typically, at the end of an audit there is a review process. These 8 columns allow the auditor to include information that may be helpful during the review process. Among them is the ref. risk column. This allows the audit to identify the specific risk factor(s) associated with the control being assessed. Three columns regarding information about the control under review have been added:  control type, control class, and control frequency. Having this information gives the auditor and reviewer more information to assess whether it is operating effectively and efficiently. Another column that may be helpful during the audit review is the ref. frameworks/standards column, which allows the auditor to enter references to any frameworks and/or standards the enterprise uses or are required to comply with. The ref. workpaper column allows the auditor to identify supporting documentation. The pass/fail column is a place for the auditor to specify whether the overall control passed or failed based on the testing performed, and the comments column is there for the auditor to document any notes that may be helpful during a subsequent review of the information.

The updated audit program can help new auditors and those not part of the audit process a better understanding of the audit. This simplified audit program gives the audit professional a tool that will facilitate the audit process from beginning to end.


Anthony Lowe

Just had a look.  Excellent !
Anthony88 at 9/15/2016 6:44 PM

Re: Simplified Audit Programs

Where can I find this update?
Edgar119 at 9/16/2016 10:31 AM

Re: Simplified Audit Programs

Please can I get a link to view this document? Thank you. Anthony
Anthony718 at 9/19/2016 7:46 AM


Patrick012 at 10/11/2016 1:07 PM