Ookeditse Kamau, CISA, CIA
Audit evidence supports the conclusions of an auditor during the audit process. It attests that management follows the right procedures to account for the internal controls within the IT environment. When audit evidence is thought of, usually the first two ideas that come to mind are professional skepticism (not to take things at face value) and paying attention to detail.
Audit evidence is a component of the audit program execution process,1 which starts with audit objective identification, control selection, documentation of audit procedures (test of controls) and audit evidence evaluation, as depicted in figure 1.
The quality of audit evidence is determined by its relevance, reliability and sufficiency.2 Relevancy relates to applicability of the evidence. For instance, if the evidence is for the period under review (e.g., year-end), then when receiving documents, it is imperative to review the contents and pay attention to the dates. One should also verify the source of the information, and if there are any signatures, one should inquire who signed off. Reliability, simply put, is how trustworthy the evidence is. Written information is more reliable than oral, and original documents are more reliable than photocopies. Sufficiency refers to how well the evidence addresses the control activity in its entirety. For example, when testing whether password controls in a Windows 2003 server are set to be strong, reviewing only the password policy (e.g., minimum password length, minimum password age in days) might not be sufficient evidence for this control because although password policy is set at the server level, the system administrator has rights to change password settings for each user. Some of the changes that can be made include setting the user to access the network without a password or setting the user’s password to never expire. Such changes will take precedence over the policy set at server level. Therefore, apart from the review of the password policy, the information systems (IS) auditor should additionally review:
Users who have not changed their passwords or logged on in days exceed the company’s policy for password change, which is intended to ensure that evidence is gathered sufficiently to address the control.
Different types of audit evidence are gathered during the audit process, for example:3
The following are possible techniques for gathering audit evidence:
Sampling is an audit procedure that tests less than 100 percent of the population.7 There are different types of sampling methods that an IS auditor can apply to gather sufficient evidence to address the audit objectives and the rate of risk identified. Sampling methods can be statistical or nonstatistical. Statistical sampling involves deriving the sample quantitatively. The statistical methods commonly used are random sampling and systematic sampling. Nonstatistical sampling involves deriving the sample qualitatively. Commonly used nonstatistical methods are haphazard and judgmental sampling.
The sampling size applied depends on the type of control being tested, the frequency of the control and the effectiveness of the design and implementation of the control.
The following are the two types of controls:
Examples of manual controls include review of audit log monitoring, review of user authorization access forms, and review of daily IT procedures, server monitoring procedure and help-desk functions. Figure 3 provides examples of IT controls, the technique that can be used to gather evidence and the sampling method that can be used.
Quality evidence collected during the audit process enhances the overall quality of the work performed and significantly reduces audit risk. Failure to collect quality evidence may result in the auditor or company facing litigation, loss of reputation and loss of clientele. It is important to ensure that the audit evidence obtained from the auditee is of high quality and supports the understanding of the IT control environment.
1 Cascarino, Richard E.; Auditor’s Guide to Information System Auditing, John Wiley & Sons, 20072 American Institute of Certified Public Accountants (AICPA), AU Section 326 Audit Evidence, www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00326.pdf3 Aasmund, Eilifsen; Auditing and Assurance Services, 2nd Internal Edition, Forlag: McGraw-Hill, p. 122-1274 Gleim, Irvin N.; CIA Part 2, 13th Edition, 20095 Holtby, Adam; “The ITIL process maturity framework can help identify improvement opportunities,” Ovum, 3February 2012, http://ovum.com/2012/02/03/the-itil-process-maturity-framework-can-help-identify-improvement-opportunities/6 ISACA, COBIT Assessment Programme, www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx7 ISACA, G10 Audit Sampling, IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals, 2010, www.isaca.org/standards8 Rajamani, Baskaran; “Certifying Automated Information Technology Controls: Common Challenges and Suggested Solutions,” Deloitte, www.deloitte.com/view/en_CA/ca/services/ceocfocertification/c1fcfa9d452fb110VgnVCM100000ba42f00aRCRD.htm9 African Organization of English-speaking Supreme Audit Institutions (AFROSAI-E), Regularity Audit Manual, 2010
Ookeditse Kamau, CISA, CIA, has more than five years of experience in IT audit, and has worked as a senior IT auditor at Deloitte. She recently joined the Office of Auditor General Botswana, where she is working as principal auditor–IT audit.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.