It was a great compliment, if somewhat daunting,
to be invited to follow in the footsteps of Tommie
Singleton and the late Ed Gelbstein to contribute to
this column. I can only hope to match their insights
by bringing my own experiences to bear.
Speaking of which, one of the most common
requests I get as a community leader on the ISACA®
Knowledge Center1, 2, 3 is for audit/assurance
programs or sources of assurance. So, what are our
options and where should we look?
Utilize Existing Audit/Assurance
ISACA, the Institute of Internal Auditors (IIA) and other
Figure 1—Existing Audit/Assurance
organizations have developed programs
(figure 1) that address commonly audited areas such
as cyber security, commonly utilized applications
such as SAP and common requirements for
compliance such as the Payment Card Industry Data
Security Standard (PCI DSS). These are excellent
resources and can save a lot of time. My only word
of warning is that they are not one size fits all. They
should be considered a starting point and adjusted
based upon risk factors and criteria that are relevant
to the organization you are auditing. Failure to do
so can result in a checklist approach that can lead
to the auditor recommending controls that are
not applicable to the organization. This, in turn,
can damage your reputation with the auditee and,
ultimately, with senior management.
ISACA Audit/assurance programs4
IIA Global Technology Audit Guides (GTAGs) 5
AuditNet Audit Programs6
Source: Ian Cooke. Reprinted with permission.
Build Your Own
During your career as an IS auditor, there will be
a requirement to build your own audit/assurance
programs. These would typically be required when
the audit subject is a custom-built application or
when the organization being audited is implementing
tools or processes that are on the cutting edge. How
do you approach such assignments?
In March 2016, ISACA released an excellent white
paper titled Information Systems Auditing: Tools and
Techniques Creating Audit Programs. 7 The paper
describes the five steps in developing your own audit
program (figure 2). Essentially, these steps are:
1. Determine audit subject—What are you
auditing? This is often set as part of the overall
2. Define audit objective—Why are you auditing
it? Again, this may have been set as part of the
overall audit plan.
3. Set audit scope—What are the limits to
4. Perform preaudit planning—What are the
specific risk factors?
5. Determine audit procedures and steps for
data gathering—How will you test the controls
for these risk?
A crucial component of step 5 is developing the
criteria for evaluating tests. “Criteria” is defined as
the standards and benchmarks used to measure
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and
Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma
Is the group IT audit manager with An Post (the Irish Post Office based in
Dublin, Ireland) and has 30 years of experience in all aspects of information
systems. Cooke has served on several ISACA® committees and is a current
member of ISACA’s CGEIT® Exam Item Development Working Group. He
is the community leader for the Oracle Databases, SQL Server Databases,
and Audit Tools and Techniques discussions in the ISACA Knowledge
Center. Cooke assisted in the updates of the CISA® Review Manual for the
2016 job practices and was a subject matter expert for ISACA’s CISA Online
Review Course. He is the recipient of the 2017 John W. Lainhart IV Common
Body of Knowledge Award for contributions to the development and
enhancement of ISACA publications and certification training modules. He
welcomes comments or suggestions for articles via email at Ian_J_Cooke@
hotmail.com, Twitter (@COOKEI) or on the Audit Tools and Techniques topic
in the ISACA Knowledge Center. Opinions expressed in this column are his
own and do not necessarily represent the views of An Post.
Do you have
to say about
Visit the Journal
pages of the ISACA®
website ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.