MBA management

Information System - Audit Standards, Procedures and Guidelines topics:


A good definition of Information System Auditing is the process of collecting and assessing evidence to show that safeguards to protect against abuse, safeguards assets maintains data integrity and allows the organization to continue successfully. Often in today’s world the reason a system is audited is to determine if the organization is adhering or able to adhere to regulatory requirements such as SOX or HIPAA. Many of the problems that auditing is there to address are due to the speed that the technology changes, that without allow things to be done in some cases badly or just plain wrong.

Information System Auditing, also referred as automated data processing ( ADP) audits and IT infrastructure audits, is primarily an examination of the system controls within an Information technology (IT) infrastructure which is the process of evaluating the suitability and validity of an organization’s information systems, practices and operations. Information System Auditing has been developed to allow an organization to achieve goals effectively and efficiently through assessing that computer systems safeguard assets and maintain data integrity. Within an organization the managers are concerned that the systems they us provide the most effective way to maximize return on shareholder funds. Groups such as environmental groups, and civil rights groups are concerned with other aspects of how an organization runs their business.

Nearly 60 years ago most systems were manual with paper. Much of that work has now been replaced with computer systems. With the widespread use of computers we are now compelled to maintain control of the data in those systems. The misuse of data can lead to misallocated resources and abuse of privacy can occur with uncontrolled distribution of data. Whenever one of these events occurs the media makes sure the world knows about it as it produces good news copy, many people don’t understand and therefore fear is easy to generate. This provides support for the notion George Orwell’s 1984 is upon us.

With the widespread use of computers and the ever increasing computing power available in desktop and mobile computing devices, it is important to control how the data within these devices is managed.

Everest 1985 proposed that the data within an organization was an image of itself the failure or success of this image will determine the success or failure of the organization , if some is lost then the organization will incur loss . An example of this is when the purchasing records are destroyed, then a business can suffer failure through inability to manufacture and/or supply to customers. This can occur when management fails to provide adequate budget to support proper backups. The lost data then becomes unrecoverable.

The misuse of computer system can lead either directly or indirectly to poor decision making. This can occur when either someone edits data to represent incorrect information thereby leading others to make bad decisions or the person reviewing data can temper with it to allow with it to allow them to give incorrect information. Recently the world has seen a number of events that are evidence of what goes wrong when this happens. Computer abuse is becoming more prevalent in organizations that abuse is an increasing expense to the business.

Foundations of Information System Auditing

The advent of computing brought with it a whole new chapter in the audit process. Computers had affected the auditor’s ability to carry out part of what they had previously done. Things such as system privileges and how they affected what data a person has access to; the suitability of the audit trail provided by the application to provide the necessary evidence for ascertaining whether events have occurred and when they are not always fully present in some systems. Information system auditing bass its framework on the knowledge of 4 other disciplines. They are information system management, computer science, behavioral science and traditional auditing.

Auditors are concerned with four objectives: asset safeguards ,data integrity system effectiveness and system efficiency. One of the key things of auditing is to identify whether errors and irregularities will cause material losses. Auditing might also assess whether the processes followed have contributed or are contributing to any ongoing losses. To assess these auditors need to collect evidence. Auditors might not detect real or potential losses due to the test nature of the audit. A basis for determining the desired level of risk the use of the following model is of some significance. DAR= IR X CR x R, where DAR is the desired audit risk, IR is the inherent risk and CR is the control risk. DR is the detection risk. The detection risk is to allow for the fact that it is possible to overlook something when building the risk profile, A missed script, and error in some code. The likelihood of these events occurring should add up to the detection risk.

The scope of an Information System Audit

However, the normal scope of an information systems audit still does cover the entire lifecycle of the technology under scrutiny, including the correctness calculations. The word “scope” is prefaced by ”normal” because the scope of an audit is dependent on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may be validating the correctness of the systems calculations , confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, and verifying that confidential data is not exposed to unauthorized individuals, and /or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope.

It is sometimes a challenge for auditors representing management interests to map the audit objective onto technology. They first identify business activity that is most likely to yield the best type of evidence to support the audit objective. They identify what application systems and networks are used to handle the information that supports the business activity . For example , an audit may focus on a given IT process, in which case its scope will include the systems used to create input for, to execute, or to control the IT process, AN audit that focuses on data privacy will cover technology controls that enforce confidentially controls on any database, file system, or application server that provides access to personally identifiable data.

From the point of view of the IT Manager, scope should be clear from the outset of the audit. It should be a well-defined set of people, process, and technology that clearly corresponds to the audit objective. If an auditor does not understand the technology environment prior to the beginning of an audit, there may be mistakes in scope definition. Where such mistakes happen, they are often caught in the course of the audit, and systems that previously were not in scope may be declared to be in scope. The audit professional calls this “scope creep” They generally try to avoid it, because the consequence is that more resources than planned will be necessary to meet the audit objective.

Once a scope is determined, an auditor will be provided with a contact for the review. In some organizations, the role of audit liaison is formally assigned. This role often falls to an information security professional, but there is no expectation on the part of audit that it be someone in security. By default, it would be the highest ranking person in the IT Management chain whose responsibilities fully cover the systems within the scope of the audit. This contact will be requested to provide background information on the systems that an auditor can use to plan the audit. Policies, architecture diagrams, systems manuals and other sorts of documentation will often b requested in advance of an audit.


The Audit Charter establishes the department’s position within the organization.


An important part of the process for managing an audit function involves planning. Planning covers both administration of the audit office as well as administration of the audit assignment. For successful audits, we need to know what we want to achieve (audit objectives), determine what procedures we should follow (audit methodology), and assign qualified staff to the audit ( resource allocation).

Audit planning form/ Audit Strategy Memorandum/ Audit Issue Control Document- is designed to assist the auditor in gathering information necessary to obtain an understanding of the client, its business and industry and its internal controls. Also , provides guidance in evaluating the risk of material misstatement of thee financial statements.


1. To create a new annual audit plan (for more than one year), the audit planner copies the audit plan from the previous year or creates a new annual audit plan. In the same step, the audit planner can structure the audit plan into sub plans documents can be assigned to each audit plan.

2. For each audit the audit planner determines the planned duration of the audit, the location, the audited area, the lead auditor, and the participants.

3. The approver (for example, the managing director) approves the audit plan.

4. The audit planner releases the annual plan. When the audit planner release the annual audit plan, this version of the audit plan is ‘frozen’ and no subsequent changes can be made.

5. The lead auditor uses the audit to create his /her audits.

6. If dates are shifted , it is the responsibility of the lad auditor to inform the audit planner about the delay of the planned audit.

7. The audit planner stores these date shifts in the current audit plan. Date shifts for planned audits that were carried out in Microsoft Project are automatically updated in the audit plan.

8. The lead auditor or audit planner creates a question list for audit or assigns an existing question list to the audit. In the latter case, he/she may change thee questions and assign a possible valuation to new questions, and then save the current question list.

9. The lead auditor informs all people involved in the audit (participants).

Optional Activities

• The audit planner creates a checklist for the auditors to help with the audit execution.

• The audit planner creates a current questionnaire for the audit execution.


Audit evidence is evidence obtained during an Information system audit and recorded in the audit working papers.

• In the audit engagement acceptance or reappointment stage, audit evidence is the information that the auditor is to consider for the appointment .For example, change in the entry control environment, inherent risk and nature of the entity business and scope of audit work.

• In the audit planning stage, audit evidence is the information that the auditor is to consider for the most effective and efficient audit approach. For examples, reliability of internal control procedures, and analytical review systems.

• In the control testing stage, audit evidence is the information that thee auditor is to consider for the mix of audit test of control and audit substantive tests.

• In the substantive stage, audit evidence is the information that the auditor is to make sure the appropriation of Information System Assessment. For examples, existence, rights and obligations, occurrence , completeness, valuation, measurement, presentation and disclosure of a particular transaction or account balance.

• In the conclusion and opinion formulation stage, audit evidence is information that the auditor is to consider whether the financial statement as a whole presents with completeness, Validity accuracy and consistency with the auditor’s understanding of the entity.

Types of Audit Evidence

For a description of appropriate, reliable and sufficient evidence, refer to the commentary section in standard of audit evidence taken in information system audit.

When planning the IS audit work, the IS auditor should take into account the type of audit evidence to be gathered, its use as audit evidence to meet audit objectives and its varying levels of reliability. Amongst the things to be considered are the independence and qualifications of the provider of the audit evidence. For example, corroborative audit evidence from an independent third party can be more reliable than the representations of an individual.

The IS auditor should also consider whether testing of controls has been completed and attested to by an independent third party and whether any reliance can be placed on that testing.

The various types of audit evidence that the IS auditor should consider using include:

• Observed processes and existence of physical items
• Documentary audit evidence
• Representations
• Analysis

Observed processes and existence of physical items can include observations of activities, property and IS functions such as:

• An inventory of media in an offsite storage location
• A computer room security system in operation

Documentary audit evidence, recorded on paper or other media, can include:

• Results of data extractions
• Records of transactions
• Program listings
• Invoices
• Activity and control logs
• System development documentation

Representations of those being audited can be audit evidence, such as:

• Written policies and procedures
• System flowcharts
• Written or oral statements

The results of analyzing information through comparisons, simulations, calculations and reasoning can also be used as audit evidence. Examples include the following:

1) Benchmarking IS performance against other organizations or past periods
2) Comparison of error rates between applications, transactions and users

Availability of Audit Evidence

The IS auditor consider the time during which information exists or is available in determining the nature ,timing, extent of substantive testing and, if applicable, compliance testing. For example, audit evidence processed by electronic data interchange (EDI), document image processing (DIP) and dynamic systems such as spreadsheets may not be retrievable after a specified period of time if changes to the files are not controlled or the files are not backed up. Documentation availability could also be impacted by company document retention policies.

Selection of Audit Evidence

The IS auditor should plan to use the most appropriate, reliable and sufficient audit evidence attainable and consistent with the importance of the audit objective and the time and effort involved in obtaining the audit evidence.

Where audit evidence obtained in the form of oral representations is critical to the audit opinion or conclusion, the IS auditor should consider obtaining documentary confirmation of the representations, either on paper or other media. The auditor should consider alternative evidence to corroborate these representations to ensure their reliability.


On the completion of each audit assignment, the Auditor should prepare a written report setting out the audit observations and conclusions in an appropriate form; its content should be easy to understand, free from ambiguity and supported by sufficient, competent and relevant audit evidence and be independent, objective, fair, complete, accurate, constructive and concise.

1) The auditor should issue the reports in a timely manner for use by management, legislature and other interested users.

2) The audit report may be presented on other media that are retrievable by other users and the audit organizations .Retrievable audit reports include those, which are in electronic formats and may be released on the Internet.

3) With regard to audit of financial statements, the auditor should prepare a report expressing opinion on the fair presentation of the financial position of the audited entity in the financial statement. Form and content of this report and the nature of opinion is discussed in the following paragraphs.

4) With regard to fraudulent practice or serious financial irregularities detected during audit or examined by audit, a written report should be prepared. This report should indicate the scope of audit, main findings, total amount involved, modus operandi of the fraud or the irregularity, accountability for the same and recommendations for improvement of internal control system, fraud prevention and detection measures to safeguard against recurrence of fraud/ serious irregularity.

5) With regard to performance or Value for Money audits, the report should include a description of the scope and coverage of audit, objective of audit, area of audit, main findings in respect of the efficiency, economy and effectiveness (including impact) aspects of the area (subject matter) which was audited and recommendations suggesting the improvements that are needed.

6) With regard to regularity audits, the auditor should prepare a written report which may either be a part of the report on the financial statements or the value for Money Audit or a separate report on the tests of compliance of applicable laws and regulations. The report should contain a statement on the results of the tests to indicate the nature of assistance i.e. positive or negative obtained from the tests.

7) Reporting standards constitute the framework for the audit organization and the auditor to report the results of audit of regularity or performance audit or expressing audit or expressing his opinion on a set of financial statements.

8) These standards are to assist and not to supersede the prudent judgment of the Auditor in marketing audit observations, conclusions and report.

9) The expression “Reporting “ embraces both the Auditor’s opinion on a set of financial statement and thee auditor’s report on regularity , performance or value for money audit and also the reports prepared on periodical inspection of the records of an audit entity.

10) The audit report should be complete. This requires that the report contains all pertinent information needed to satisfy the audit objectives and to promote an adequate and correct understanding of the matter reported. It also means including appropriate background information.

11) In most cases, a single example of a deficiency is not sufficient to support a broad conclusion or a related recommendation. All that it supports is that a deviation, an error or a weakness existed. However, except as necessary, detailed supporting data need not be included in the report.

12) Accuracy requires that the evidence presented is true and thee conclusions bee correctly portrayed. The conclusions should flow the evidence. The need for accuracy is based on the need to assure the users that what is reported is credible and reliable.

13) The report should include only information, findings and conclusions that are supported by competent and relevant evidence in the auditor’s working papers. Reported evidence should demonstrate the correctness and reasonableness of the matters reported.

14) Correct portrayal means describing accurately the audit scope and methodology and presenting findings and conclusions in a manner consistent with the scope of audit work.

15) Objectivity requires that the presentation throughout the report be balanced in content and tone. The audit report should be fair and not be misleading and should place the audit results in proper perspective. This means presenting the audit results impartially and guarding against the tendency to exaggerate or over-emphasize deficient performance. In describing shortcomings in performance, the Auditor should present the explanation of thee audited entity and stray instances of deviation should not be used to reach broad conclusions.

16) The tone of reports should encourage decision-makers to act on the auditor’s findings and recommendations. Although findings should be presented clearly and forthrightly, the auditor should keep in mind that one of the objectives is to persuade and this can best be done by avoiding language that generate defensiveness and opposition.

17) Being convincing requires that the audit results be presented persuasively and the conclusions and recommendations followed logically from the facts presented. The information presented should be sufficient to convince the readers to recognize the validity of the findings and reasonableness of audit conclusions. A convincing report can help focus the attention of management on matters that need attention and help stimulate correction.

18) Clarity requires that the report be easy to read and understand. Use of non-technical language is essential. Wherever technical terms and unfamiliar abbreviations are used, they should be clearly defined. Both logical Organization of the materials and precision in stating the facts and in drawing conclusions significantly contribute to clarity and understanding. Appropriate visual aids ( such as photographs, charts, graphs and maps etc.) should be used to clarify and summaries complex material.

19) Being concise requires that the reports is no longer than necessary to convey the audit opinion and conclusions. Too much of details detracts from the report and conceals the audit opinion and conclusions and confuses the readers. Complete and concise reports are likely to receive greater attention.

20) Being constructive requires that the report also include well thought out suggestions, in broad terms, for improvements, rather than how to archive them. In presenting the suggestions due regard should be paid to the requirements of rules and orders, operational constraints and the prevailing milieu. The suggestions should be discussed with sufficiently high level functionaries of the entities and as far as possible, their acceptances obtained before these are incorporated in the report.

21) Timeliness requires that the audit reports should be made available promptly to be of utmost use to all users, particularly to the audited organizations and/ or Government who have to take requisite action.


The COBIT Framework states, ”It is management’s responsibility to safeguard all the assets of the enterprise. To discharge this responsibility, as well as to achieve its expectations, management must establish an adequate system of internal control.”

COBIT’s Management Guidelines provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on:

Performance measurement - how well is the IT function supporting business requirement?

IT control profiling - What IT processes are important? What are the critical success factors for control?

Awareness - what are the risks of not achieving the objectives?

Benchmarking - what do others do? How can results bee measured and compared?

The Management Guidelines provide example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management measure control capability and identify control gaps and strategies for improvement.

The Management Guidelines can be used to support self-assessment workshops and they can also be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.

COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s information criteria.

Need for procedures

Although the IS auditor has no explicit responsibility to detect or prevent irregularities, the IS auditor should assess the level of risk that irregularities could occur. The result of thee risk assessment and other procedures performed during planning should be used to determine the nature, extent and timing of the procedures performed during the engagement. The IS auditor should use his/her professional judgment. This document is intended to assist the IS auditor in achieving this purpose.

An audit cannot guarantee that irregularities will be detected. Even when an audit is planned and performed appropriately, irregularities could go undetected.

The IS auditor may be given information about a suspected irregularity or illegal act and may use data analysis capabilities to gather further information.


Management is responsible for designing, implementing and maintaining a system of internal controls including the prevention and detection of irregularities and they must be reasonably conversant with the subject of irregularities to identify real factors that may contribute to its occurrence.


Where the IS audit objective relates to systems or operations that process financial transactions, the value of the assets controlled by the systems(s) or the value of transactions processed per day/week/month/year should be considered in assessing materiality.

Where financial transactions are not processed, the following are examples of measures that could be considered to assess materiality. Criticality of the business processes supported by the system or operation cost of the system or operation ( hardware, software, staff, third-party services, overheads or a combination of these) potential cost of errors (possibly in terms of lot sales, warranty claims, irrecoverable development costs, cost of publicity required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high waste, etc.)

• Number of accesses/ transactions/inquiries processed per period
• Nature, timing and extent of reports prepared and files maintained
• Nature and quantities of materials handled (such as where inventory movements are recorded without values)
• Service level agreement requirements and cost of potential penalties
• Penalties for failure to comply with legal and contractual requirements
• Penalties for failure to comply with public health and safety requirements
• Consequences to shareholders, organization or management of irregularities going unresolved


Assess and manage IT risks satisfies the business requirement for IT analyzing and communicating IT risks and their potential impact on business processes and goals by focusing on development of a risk management framework that is integrated in business and operational risk management frameworks, risk assessment, risk mitigation and communication of residual risk.

Monitor and Evaluate Internal Control satisfies thee business requirement for IT of protecting the achievement of IT objectives and complying with IT- related laws, regulations and contracts by focusing on monitoring the internal control processes for IT- related activities and identifying improvement actions.

The level of audit work required to meet a specific audit objective is a subjective decision made by the IS auditor. The risk of reacting an incorrect conclusion based on the audit finding ( audit risk) is one aspect of this decision. The other is the risk of errors occurring in the area being audited ( error risk). Recommended practices for risk assessment in carrying out financial audits are well documented in auditing standards for financial auditors, but guidance is required on how to apply such techniques to IS audits.

Members of management also bases their decisions on how much control is appropriate upon assessment of the level of risk exposure that they are prepared to accept. For example, the inability to process computer applications for a period of time is an exposure that could result from unexpected and undesirable events (e.g., data centre fire). Exposures can be reduced by the implementation of appropriately designed controls. These controls are ordinarily based upon probabilistic estimation of the occurrence of adverse events and are intended to decrease such probability. For example, a fire alarm does not prevent fires, but it is intended to reduce the extent of fire damage.

This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how to achieve implementation of standards S5 and S6 , use professional judgment in its application and be prepared to justify any departure.

Selection of a Risk Assessment Methodology

There are many risk assessment methodologies available from which the IS auditor may choose. These range from simple classifications of high, medium and low, based on the IS auditor’s judgment, to complex and apparently scientific calculations to provide a numeric risk rating. IS auditors should consider the level of complexity and detail appropriate for the organization being audited.

IS auditors should include, at a minimum, an analysis, within the methodology, of the risks to the enterprise resulting from the loss of and controls supporting system availability, data integrity and business information confidentiality.

All risk assessment methodologies rely on subjective judgments at some points in the process (e.g., for assessing weighting to the various parameters). The IS auditor should identify the subjective decisions required to use a particular methodology and consider whether these judgments can be made and validated to an appropriate level of accuracy.

In deciding which is the most appropriate risk assessment methodology, IS auditors should consider such things as:

The type of information required to be collected (some systems use financial effects as the only measure - this is not always appropriate for IS audits).

The cost of software or other licenses required to use the methodology.

The extent to which the information required is already available .The amount of additional information required to be collected before reliable output can be obtained and the cost of colleting this information (including the time required to be invested in the collection exercise).

The opinions of other users of the methodology and their views of how well it has assisted them in improving the efficiency and/or effectiveness of their audits.

The willingness of management to accept the methodology as the means of determining the type and level of audit work carried out.

No single risk assessment methodology can be expected to be appropriate in all situations. Conditions affecting audits may change over time. Periodically, the IS auditor should re-evaluate the appropriateness of the chosen risk assessment methodologies.

Use of Risk Assessment

IS auditors should use the selected risk assessment techniques in developing the overall audit plan and in planning specific audits. Risk assessment , in combination with other audit techniques, should be considered in making planning decisions such as:

• The nature, extent and timing of audit procedures
• The areas or business functions to be audited
• The amount of time and resources to be allocated to an audit

The IS auditor should consider each of the following types of risk to determine their overall level:

• Inherent risk
• Control risk
• Detection risk

Inherent Risk

Inherent risk is the susceptibility of an audit area to error in a way that could be material, individually or in combination with other errors, assuming that there were no related internal controls. For example, the inherent risk associated with operating system security is ordinarily high, since changes to , or even disclosure of, data or programs through operating system security weaknesses could result in false management information or competitive disadvantage. By contrast, the inherent risk associated with security for a stand-alone PC, when a proper analysis demonstration it is not used for business-critical purposes, is ordinarily low.

Inherent risk for most IS audit areas is ordinarily high since the potential effects of errors ordinarily spans several business systems and many users.

In assessing the inherent risk, the IS auditor should consider both pervasive and detailed IS controls. This does not apply to circumstances where the IS auditor’s assignment is related to pervasive IS controls only.

At the pervasive IS control level, the IS auditor should consider, to the level appropriate for the audit area in question;

The integrity of IS management and IS management experience and knowledge Changes in IS management pressures on IS management that may predispose them to conceal or misstate information (e.g., large business- critical project overruns, hacker activity).

The nature of the organization’s business and systems (e.g., the plans for e-commerce, the complexity of the systems, the lack of integrated systems).

Factors affecting the organization’s industry as a whole (e.g., changes in technology, IS staff availability).

The level of third –party influence on the control of the systems being audited (e.g., because of supply chain integration, outsourced IS processes, joint business ventures, and direct access by customers and the IS controls).

Control Risk

Control Risk is the risk that an error that could occur in an audit area and could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system. For example, the control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often missed easily, owing to the volume of logged information. The control risk associated with computerized data validation procedures is ordinarily low because the processes are consistently applied.

The IS auditor should assess thee control as high unless relevant internal controls are:

• Identified
• Evaluated as effective
• Tested and proved to be operating appropriately

Detection Risk

Detection risk is that the IS auditor’s substantive procedures will not detect an error that could be material , individually or in combination with other errors. For example, the detection risk associated with identifying breaches of security in an application system is ordinarily high because logs for the whole period of the audit are not available at the time of the audit. The detection risk associated with identifying a lack of disaster recovery plans is ordinarily low, since existence is verified easily.


IS auditors should consider documenting the risk assessment technique or methodology used for a specific audit. The documentation should ordinarily include:

• A description of the risk assessment methodology used
• The identification of significant exposures and the corresponding risks
• The risks and exposures the audit is intended to address
• The audit evidence used to support the IS auditor’s assessment of risk

The specialized nature of information systems( IS) auditing, and the skills necessary to perform such audits, require standards that apply specifically to IS auditing. One of the Information Systems Audit and Control Association, Inc.’s( ISACA’s) goals is therefore to advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a cornerstone of the ISACA’s professional contribution to The ISACA Standards. Board is committed to wide consultation in the preparation of IS Auditing Standards. Board is committed to wide consultation in the preparation of IS Auditing Standards, Guidelines and Procedures . Prior to issuing any documents, the Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary.”

Any information is material if its mis-statement could influence the economic decisions of the any user who uses the information audited by the principal auditor as the basis of his decision. Material statements are always relative and depend upon the size and nature of the item, judged in particular situations and circumstances of its mis-statement. The assessment of what is material is a matter of professional judgment of the principal auditor which needs to be taken in the course of auditing the financial information of the entity.

The principal auditor considers material statements at both the overall financial information level and in relation to individual account balances and class of transactions. Material statements may also be influenced by the legal and statutory framework and requirements.

The principal auditor must take into account the possibility of mis-statement of relatively small amounts that, cumulatively could have material effect on the financial information.

There is an inverse relation between material statements and the degree of audit risk, that is, higher the material statement level, lower the audit risk and vice versa. For example the risk that a particular account balance or class of transaction could be misstated by an extremely small amount might be very high. The principal auditor takes this inverse relationship between material statements and audit risk into account when determining the nature, timing and extent of his auditing procedures.

In forming his opinion on financial information, the principal auditor should consider whether the effects of aggregate uncorrected mis-statements on the financial information are material. The aggregate of uncorrected mis-statement comprises specific mis-statements identified by the principal auditor and the principal auditor ‘s best estimates which cannot be specifically identified. Qualitative considerations also influence a principal auditor in reaching a conclusion to whether the mis- statements are material. If the analytical auditing procedures indicate that mis-statements might be present, but not it’s or approximate near about amount, the principal auditor generally would have to use other auditing procedures to enable him to estimate the aggregate mis-statement.


The internal auditors shall be obliged to adhere to the principles and rules of the Code in order to be independent, objective and honest in their performance of tasks and also to improve permanently for the purpose of work quality improvement.

To achieve the highest ethical standards of their own behavior shall be their personal responsibility and duty of each internal auditor. Their duty shall be to consult colleagues if they shall have any ethical doubts. However, each internal auditor shall act in his/her activities as an independent person and shall amend and enrich the rules given by this Code, his/her personal system of human values, culture and life experience.

The Code’s principles shall represent the background on which the rules of ethical and professional performance of internal auditors’ tasks shall be based. The Code’s rules shall represent the elaboration of principles, by which professional and ethical behavior of internal auditors shall be defined.
Copyright © 2015         Home | Contact | Projects | Jobs

Review Questions
  • 1. What is information audit? What are the needed standards therefor?
  • 2. What are the foundation for an information system audit and what is the scope of such an audit?
  • 3. What are the known management practices while setting control objectives for audit testing?
  • 4. What is audit evidence? What are the different types of audit evidence?
  • 5. What are the essential features of an audit report?
  • 6. What is risk assessment in audit planning? How will you asses risk in audit planning.
Copyright © 2015         Home | Contact | Projects | Jobs

Related Topics
Information System - Audit Standards, Procedures and Guidelines Keywords
  • Information System - Audit Standards, Procedures and Guidelines Notes

  • Information System - Audit Standards, Procedures and Guidelines Programs

  • Information System - Audit Standards, Procedures and Guidelines Syllabus

  • Information System - Audit Standards, Procedures and Guidelines Sample Questions

  • Information System - Audit Standards, Procedures and Guidelines Subjects

  • EMBA Information System - Audit Standards, Procedures and Guidelines Subjects

  • Information System - Audit Standards, Procedures and Guidelines Study Material

  • BBA Information System - Audit Standards, Procedures and Guidelines Study Material