Summary
Highlights
The video introduces information systems auditing as a critical process for safeguarding an organization's digital nervous system. It outlines the master plan, including the language of IS auditing, the IS audit function, navigating the audit universe, the rule of law, and calling in experts.
This section defines key terms. 'Information' is data with meaning, 'Information System' is the machinery that moves this information, and 'Information Technology (IT)' refers to the tools used to build and maintain these systems. An 'Information Systems Audit' is then defined as the formal examination of management controls within an IT infrastructure. The Certified Information Systems Auditor (CISA) is introduced as the global standard for professionals in this field.
This part distinguishes between an 'audit charter' (the organization's overarching constitution approved by the board) and an 'engagement letter' (a specific mission brief for a single audit). It emphasizes the critical importance of independence for the IS audit function and the need for auditors to be technically competent and objective, reporting directly to an audit committee.
This section covers the strategic planning of an audit. An 'audit universe' encompasses all auditable units. Due to vastness, a systematic approach is necessary: defining auditable units, identifying risk through process owners, evaluating objective criteria (quantifying potential loss), and constructing an audit plan. It highlights the challenge of insufficient resources, often forcing management to accept unmitigated risks or augment staff.
This part discusses external forces like government and industry regulations. Auditors must document applicable laws, assess management's plans, review IT adherence to these rules, and actively check external contracts, given the significant legal impacts on electronic and personal data, e-commerce, and data storage.
When an audit requires specialized expertise not available internally, outsourcing becomes necessary. This requires careful evaluation of independence, supervisory controls, legal restrictions, scope of work, and professional liability. Strict security measures are crucial, including background checks, access control, confidentiality, and non-disclosure agreements. The video emphasizes that while audit work can be delegated, professional liability always remains with management.