Ookeditse Kamau, CISA,
CIA, has more than five years
of experience in IT audit,
and has worked as a senior
I T auditor at Deloitte. She
recently joined the Office of
Auditor General Botswana,
where she is working as
principal auditor–IT audit.
Audit Evidence Refresher
Audit evidence supports the conclusions of an
auditor during the audit process. It attests that
management follows the right procedures to
account for the internal controls within the IT
environment. When audit evidence is thought of,
usually the first two ideas that come to mind are
professional skepticism (not to take things at face
value) and paying attention to detail.
Audit evidence is a component of the audit
program execution process, 1 which starts with
audit objective identification, control selection,
documentation of audit procedures (test of
controls) and audit evidence evaluation, as
depicted in figure 1.
Figure 1—Audit Program execution Process
Audit Objective
Identification
Control Selection
Audit Procedures
Do you have something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Audit Evidence Evaluation
The quality of audit evidence is determined
by its relevance, reliability and sufficiency. 2
Relevancy relates to applicability of the evidence.
For instance, if the evidence is for the period
under review (e.g., year-end), then when
receiving documents, it is imperative to review
the contents and pay attention to the dates. One
should also verify the source of the information,
and if there are any signatures, one should inquire
who signed off. Reliability, simply put, is how
trustworthy the evidence is. Written information
is more reliable than oral, and original documents
are more reliable than photocopies. Sufficiency
refers to how well the evidence addresses the
control activity in its entirety. For example, when
testing whether password controls in a Windows
2003 server are set to be strong, reviewing only
the password policy (e.g., minimum password
length, minimum password age in days) might
not be sufficient evidence for this control because
although password policy is set at the server
level, the system administrator has rights to
change password settings for each user. Some of
the changes that can be made include setting the
user to access the network without a password or
setting the user’s password to never expire. Such
changes will take precedence over the policy set
at server level. Therefore, apart from the review
of the password policy, the information systems
(IS) auditor should additionally review:
• Users without passwords
• Users whose passwords have been set to
never expire
Users who have not changed their passwords
or logged on in days exceed the company’s policy
for password change, which is intended to ensure
that evidence is gathered sufficiently to address
the control.
