MIS 5201-IT Audit Process

MIS 5201.001 – Mike Romeu

Week 13 – Reporting, Follow-Up and CSA

I am including an audit report from 2012 where the auditor is presenting the results of his assessment on IT’s system development life cycle (SDLC) ant the project management framework designed by the Project Management Office (PMO).

Please exercise judgement with this document.

Audit Report: SDLC Audit Review – Report

Class Video: Reporting, Follow-Up and CSA Video

Class Slides: Week 13 – Reporting and Follow-Up

Week 10- Wrap Up

This session was all about Audit Sampling – “the application of an Audit Procedure to less than 100% of the target population, for the purpose of drawing general conclusions about the entire population based on the characteristics detected in the sample“.

We learned about two types of Sampling approaches

  • Statistical – good for when you need to consider sampling risk, confidence level, and precision but costly and complex.
  • Non-Statistical – good because its flexibility, its greater reliance on auditor’s experience and judgement, and it allows reasonable reliability at a reasonable cost. Unfortunately the results are not statistically valid, they have a greater chance of resulting in wrong sample sizes, and do not provide an objective measure of sampling risk.

To illustrate a few points we evaluated an access management control with the intent of assessing compliance with approval requirements. We selected a sample of 103 new access or change to existing access requests, out of a population of 650. Testing the sample yielded 4 requests that were granted without proper approval (i.e. they failed the tests). Four (4) deviations out of a randomly selected sample of 103 exceeded our deviation rate tolerance of 6% demonstrating how the control was not working as intended.

We will revisit the subject of Sampling again next week running through a few more examples during our first half of our class. The second half will be dedicated to testing.

You will find a link to a video recording of this week’s session – including additional information regarding our project – and a copy of the slides. I also included a copy of the sampling tables we used during class.

Class VideoWeek 10 – Sampling

Class Slides:Week 10 – Sampling

Statistical Sample Size for Test of Control – to determine sample size (95% confidence interval)

Statistical Sampling Results Evaluation Table for Test of Controls – to evaluate the results from testing samples.


Week 09 – IT Audit Procedure: Planning and Evidence

This session is prerecorded. Please refer to the video links below.

There will be NO classroom or WebEx session this week.

Class Video: Week 09 – IT Audit Procedure-Planning and Evidence Note: You may have to download the file to your computer to play the video

Class SlidesWeek 09 – IT Audit Procedure

Sample Audit ProgramCTI Backup and Restore Assurance Program r2

CISA Review Manual:

  • 1.5.8 Audit Programs
  • 1.5.11 Evidence
  • 1.6.2 Audit Documentation

Week 08 – Wrap Up

Class CaptureWeek 08 – Audit Procedures Video

Class SlidesWeek 08 – Audit Procedures

Audit Program Preparation ToolIS Auditing Tools and Techniques – Creating Audit Programs

In our last class I mentioned an assessment that you will perform as a final project for the class. The company involved is CortTech, Inc. (any similarity with an existing entity is pure conicidence). Here’s a bit of information regarding the company and its IT organization, and a copy of the company’s IT change management policy.

Company Info: CoreTech, Inc

CTI IT OrganizationCTI Org Chart

Change Management PolicyCTI Change Management Policy

Week 08 – Audit Procedures

We will dedicate this entire session to designing an audit procedure. We will use one of the most critical IT general controls: Change Management. In preparation for our class, I encourage you to read the following:

CISA Review Manual:

  • Chapter 3 – Information Systems Acquisition, Development and Implementation
    • 3.10.1 Change Management Overview, pages 215 – 218.
  • Chapter 4 – Information Systems Operations, Maintenance and Service Management
    • 4.2.7 Change Management Process, pages 260-261

COBIT 5 Enabling Processes:

  • BAI06 Change Management