By Rafael Gomes *
THE Systems Audit has a very important role in the corporate environment. It is through this that organizations can increase the degree of confidence in their processes and verify that their activities have been implemented correctly and / or are carried out in accordance with certain control points, which may be necessary norms or procedures for business development. .
Audits can be divided into two categories: internal audit and external audit. Internal audit is responsible for evaluating the management process in order to point out possible deviations and vulnerabilities that may affect the organization, this type of audit is performed continuously by the own auditors. Systems audit plays a very important role in the corporate environment. It is through this that organizations can increase the degree of confidence in their processes and verify that their activities have been implemented correctly and / or are carried out in accordance with certain control points, which may be necessary norms or procedures for business development. .
The external audit, on the other hand, has as its main objective to bring the organization reliability to investors, based on the audit of compliance with established controls. These audits are performed by third party companies or employees within a specified period.
Taking into account that audits may be performed by various companies and various qualified professionals and that for the performance of the audits are considered the scenario and field of activity of the audited organization, the way this audit will be performed varies for each auditor. Thus, to assist the role of the auditor and create a kind of widespread routing, ISACA standards for auditing information systems were created.
ISACA standards are divided into three groups: the 1000 standard, present general principles of auditing; 1200, describe procedures on audit development; and 1400, describes standards for the preparation of audit reports. In the development of this article we will describe the procedures adopted in the 1200 family of standards.
ISACA is a non-profit organization founded in 1969 that aims to lead, adapt and secure trust in digital environments by providing expertise such as standards, certifications, networking and career development of professionals. Also offers frameworks for information technology management and systems auditing.
III. NORMA 1200 Family
The main objective of this standard is in the description of procedures focused on the performance of audited systems. This family is divided into seven norms and in them are described items such as: Contracting Planning, Risk Assessment in Planning, Performance and Supervision, Materiality, Evidence, Use of Other Expert Work and Irregularities and Illegal Acts.
All standards have items considered mandatory and other key aspects that may or may not be considered in the development of an audit, within the scope of the audit.
A. Rule 1201 - Contracting Planning
This standard addresses items about planning for hiring an Information Systems audit. It states that audit professionals should describe such things as: Nature, objectives, schedule, and resource requirements of hiring. As well as the timing and extent of audit procedures for completing the engagement.
Some aspects should be considered, such as understanding the activity that will be audited, guiding the procedure in accordance with current regulations and laws, considering whether the contracting will be internal or external, developing planning that ensures the project is on time and appropriate costs, among other items.
B. Rule 1202 - Planning Risk Assessment
Using a risk assessment approach and appropriate support methodology in the development of the audit plan, there should be a relevant risk assessment, and it is important to highlight:
Risk assessment at least once a year, including the organization's strategic plan and risk management initiatives in the assessment, design and conduct future audits in specific areas, prioritize and schedule risk assessment audits and develop a risk assessment plan. response based on risk assessment.
C. Rule 1203 - Performance and Supervision
In this standard it is defined that it should be ensured that all work performed will be within the scope and agreed deadlines, a professional with the supervisory function to ensure the audit objectives, accepting only tasks that are within their knowledge and skills as well as contain only staff members who have the skills and experience that meet the hiring needs, obtain sufficient evidence to draw up a conclusive report, all processes and procedures used are properly documented to support the results and conclusions of the audit.
Professionals should also assign staff members who have skills to perform their duties, managing the tasks and responsibilities of each member, as well as having each task reviewed by another member. The work performed should be documented and organized and also obtain written statements from the auditee to define critical areas to be audited and questions from the auditee, ensuring that these statements were duly signed by the auditee.
D. Standard 1204 - Materiality
It is defined that audit professionals should consider certain factors such as weaknesses or lack of controls that may affect material evidence, should consider the relationship between materiality and the risks it may pose to the audit process and the definitions of materiality when provided by legislative or regulatory authorities.
Verify that the materiality assessment and audit risk may vary from time to time, depending on the circumstances and changes in the environment, and determine whether the controls used are effective and determine whether these controls have one or more weaknesses that could become material weaknesses, They are also criteria to be met by the auditor in order to ensure the materiality of the process.
E. Rule 1205 - Evidence
The standard proposes that in an audit process professionals should obtain adequate and sufficient evidence for the audit work to achieve the expected results during an audit process. This evidence should include procedures described by adding the results obtained from them and the source documents.
It is the auditor's job to consider the sources of the evidence collected and ensure that it is protected from unauthorized access and modification and will be maintained even after the audit work is completed. They should also document any situation in which the necessary evidence cannot be obtained for the completion of the audit and so that it can be performed accurately.
F. Rule 1206 - Use of Other Expert Work
In cases where third party work is required in an audit process, consideration should be given to situations where the scope of the audit shows a need, such as where specific technical knowledge that audit professionals do not have is required. The qualifications and competencies of these experts in the audit process should be assessed.
Auditing professionals will be responsible for determining whether reports issued by third parties will be conclusive to the audit process, as well as having access to all working papers, documents and reports of third party specialists, so that such access does not create problems. cool.
G. Rule 1207 - Irregularities and illegal acts
Professionals should consider the risk of irregularities and illegal acts in the course of the audit, any irregularities and illegal acts identified during the audit should be documented and reported, as well as unusual or unexpected events that may indicate a risk of material error, lack of controls, or distortions in data due to acts of irregularity or illegal acts.
Procedures should be performed to test whether internal controls are adequate to prevent or detect illegal acts or irregularities and to assess whether identified errors, control deficiencies or changes in data may be considered illegal acts or irregularities. After that, report to those charged with governance any illegal acts and irregularities found, even outside the scope of the audit, and document all communications, planning, results, assessments and conclusions related to possible illegal acts or irregularities encountered throughout the audit process. .
It is concluded that the ISACA 1200 family standards have the clear function of assisting an audit process and its instances, in a comprehensive way, selecting ways that when put in action facilitates, documents, supervises and credits the audit process.
The conclusion of this paper credits the ISACA 1200 family in the planning requirements at the time of contracting the audit, the risk assessment performed in the planning, the performance and supervision of the audited processes, the materiality and the evidence obtained. As well as the use of the work of third party specialists in case of need for the development of the work and possible irregularities and illegal acts found during an audit, where each party involved, whether related or not, can provide a high level of assertiveness and merit to the conclusion. of an audit.
* Rafael Gomes is Trainee Safeway Consulting.
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!