Evidence collection
Evidence collection
Auditors rely on evidence collected from the organization to determine the extent to which the elements examined in the audit satisfy specified criteria. Audit standards distinguish between information provided by an organization or gathered by audi- tors and evidence, the latter consisting of information that auditors are able to verify using methods appropriate for the scope, objectives, and criteria of the audit and for the type of information under examination [1] . In IT audits, key evidence collec- tion activities typically include those shown in Figure 8.2 : reviewing documentation provided by the organization or gathered from interviews with personnel, observ- ing operational procedures or activities, testing controls, and checking technical configuration settings for IT components. Sources of information therefore become sources of evidence when and if auditors are able to fully evaluate the information, confirm its accuracy and completeness, and correlate it to audit criteria. Evidence collected by auditors provides the basis for audit findings, including indications of insufficient or ineffective controls or determinations of conformity. Auditors record the types of information they examine and the methods they use to collect evidence in work papers that—separate from audit findings that result from evidence collec- tion and analysis—document the procedural steps each auditor follows. Describing the audit process in detail, in this manner, helps ensure the reliability and validity of the audit results by enabling review of each auditor’s work by the audit manager or other auditors on the team.
Relevant sources of IT audit evidence vary among different types of audits and their purposes and objectives. To fully examine a process, system, or environment that implements administrative, technical, and physical controls, auditors typi- cally need to consider a wide range of criteria corresponding to many sources of information and evaluation methods. The audit guidelines provided in ISO 19011
156 CHAPTER 8 IT Audit Processes
Information sources
Observation Documentation
Testing
Configuration
Evidence collection and analysis
Audit findings
FIGURE 8.2
IT auditors collect evidence from multiple sources using a variety of methods, examining procedural and technical documentation, observing process execution and personnel behavior, testing controls, and checking system and environment configuration settings.
identify many information sources auditors may select depending on audit scope, complexity, and the criteria that must be satisfied, including [1] :
documents such as policies, plans, procedures, standards, guidelines, technical specifications, contracts, licenses, and service level agreements;
interviews with organizational personnel responsible for operating or managing the subject under examination;
direct observation of activities occurring in the organizational environment;
applications, databases, user interfaces, and other technical components;
performance data such as customer and supplier satisfaction ratings or quality reports produced by third parties; and
simulated or actual control testing, modeling, or exercises. When conducting audits of large or complex organizations or subject matter, the
volume of information auditors must consider in the evidence collection process may exceed the capacity of the audit team. In such cases auditors may engage in informa- tion sampling, applying audit methods to a subset of the available information, and
Audit Performance 157
Table 8.2 Applicability of Audit Methods for Different Types of Evidence Methods
Applicability
Examination
System documentation, specifications, diagrams
Plans, policies, procedures, instructions, guidelines
Standards, frameworks, methodologies
Interviewing
Employees with operational responsibility for audit subjects
Managers responsible for governance, risk, and compliance
Customers, support personnel, system end users Observation
Software or hardware functionality
Operational activities, processes, practices, exercises
Personnel behavior
Testing
Technology components
Hardware devices
Application software and systems
Procedural controls and technical capabilities
can improve the feasibility and cost effectiveness of an audit, but imposes additional procedural requirements on auditors to make sure that sampling methods used in an audit are sound, appropriate for the type of audit, and statistically valid and that the sample taken is representative of the entire set of information.