The next objective in the audit is to perform the actual audit. Here you will need to make sure
you have the appropriate staff, ensure audit quality control, define auditee communications,
perform proper data collection, and review existing controls.

Allocating Staffing
You will need to have personnel for the audit and to define the audit’s organizational structure.
You also will need to create a personnel resource plan, which identifies specific functions
and skill sets necessary to complete your audit objectives. Individual skills and knowledge
should be taken into consideration while planning your audit. Remember, it’s impossible for
the auditor to be an absolute expert in everything.

You will need to rely on the work of others, including your own audit team members, subcontractors, and possibly members of the client’s staff. You should create a detailed staff training plan that is reviewed at least semiannually and before each audit. The time to train or
retrain personnel is before the audit begins.


    • The auditor will lead persons with specialized skills, including the use of database scanners
    and other automated audit tools. A skills matrix should be developed, which indicates areas
    of knowledge, proficiency, and specialized training. Occasionally, finding a competent, independent expert in database administration for a particular vendor on your project may prove
    difficult. However, you might be able to train a member of the client’s support staff to provide
    sufficient assistance to complete the audit.

    Auditors frequently use the work of others as long as the following conditions are met:
    - Assess the independence and objectivity of the provider.
    - Determine their professional competence, qualifications, and experience.
    - Agree on the scope of work and approach used.
    - Determine the level of review and supervision required.

    If these conditions are met, the auditor may choose to use the work of others. A CISA
    should have serious concerns if the work does not meet their audit evidence requirement for
    any reason. You can use only evidence of sufficient quality, quantity, and relevance. Failure to
    meet this requirement may require a change in the audit scope or cancelling the audit.


    Ensuring Audit Quality Control
    Quality does not happen automatically. It is a methodology that must be designed into your
    process and not just inspected afterward. Quality control is necessary in every audit. Audit standards, guidelines, and procedures were developed to promote quality and consistency
    in a typical audit. The ISACA audit standards were developed to assist CISA auditors in performing audits. Additional guidance can be obtained by reading the ISACA audit guide
    at www.isaca.org/standards.

    Your audit will need a variety of quality performance metrics to ensure success. When
    designing a quality control process, an auditor should consider doing the following:
    - Use an audit methodology (documented plan and procedures).
    - Gain an understanding of the auditee needs and expectations.
    - Respect business cycles and deadlines.
    - Hold client interviews and workshops.
    - Use customer satisfaction surveys.
    - Agree to terms of reference used (discussed in Chapter 1).
    - Establish audit performance metrics.
    - Measure audit plan to actual performance.
    - Respond to auditee complaints.

    Defining Auditee Communications
    The auditor must work with management to define the auditee communication requirements.
    As discussed in Chapter 1, the auditee often feels at a disadvantage to the auditor. Without
    effective communication, the auditee will feel disillusioned, confused, or disconnected from
    the audit. Each of these conditions would be undesirable; audits without client buy-in would
    be a major disaster.

    It is your job to be a “second set of eyes” in reviewing the present condition at their organization.
    You are responsible for reporting accurate findings to senior management and the
    audit committee. The audit charter should assist you by defining the required level of auditee
    communication.

    To be effective in your communication, you need to consider several points, including the
    following:
    - Describing the audit’s purpose, service, and scope
    - Dealing with problems, constraints, and delays
    - Responding to client questions and complaints
    - Dealing with issues outside the scope of this particular audit
    - Timing and scheduling
    - Following the reporting process
    - Obtaining an agreement of your findings with your client
    - Implementing confidentiality, implementing principle of least privilege (need to know)
    - Providing special handling for evidence of irregularities or possibly illegal acts

    Nothing will replace the simple act of asking the client what level and frequency of communication
    they expect. The preceding points are simply a starting position. You should synchronize
    the auditee communication plan with your own internal audit team communication plans.
    During the planning process, the auditor will need to gain approval from management for
    access to the appropriate staff personnel. A member of the audit team may be assigned to coordinate everyone’s schedule.

    Now is a good time to introduce some of the data collection techniques that auditors use
    in audits.

    Using Data Collection Techniques
    As part of the planning process, the auditor needs to determine how data will be gathered for
    evidence to support the audit report. To collect useful data, the savvy auditor will use a combination of techniques including the following:
    - Observation of staff in the performance of their duties. Auditor observation is a powerful
    form of evidence.
    - Review of existing documentation. Remember, the evidence rule will apply. Presence of
    a document does not mean it is actually in use. You should review the auditee documentation
    and any related legal documentation. Legal documentation may be either contracts or regulatory laws.
    - Interviews of selected personnel appropriate to the audit. Be sure to structure the timing
    and questions for the interview. You need to ensure that the questions are consistent and
    to allow extra time to discuss any interesting points raised.
    - Workshops to generate awareness and understanding. The audit committee may be a good audience for a workshop. Well-executed workshops can save time compared to individual
    interviews.
    - Surveys.
    Each technique has its advantages and disadvantages. For example, surveys offer an advantage
    of time but have the disadvantages of inconsistency and limited response. A survey cannot
    detect a personal mannerism such as hesitancy, surprise, or restlessness.

    An auditor can observe an auditee during an interview and ask additional probing questions
    based on the auditee response. The auditor weighs each response in an attempt to create
    consistent scoring of answers by multiple interview subjects. Interviews consume more time
    but can gather additional information.Surveys may execute quickly but carry extra administrative support burdens. It will take time and resources to create the survey, distribute the survey, track responses, provide answer assistance, ensure quality control, and tally the results. Because of human nature, people will seldom answer a survey in a manner that reduces their agenda and perceived value to an organization.

    Popularity: 11% [?]

    AddThis Feed Button