ISACA Outlines Five Steps to Planning an Effective IS Audit Program


ISACA_logoA new report from global IT association ISACA identifies five steps organisations should take to create an effective audit program and reap the benefits of a successful information systems (IS) audit.

IS audits help enterprises ensure the effective, efficient, secure and reliable operation of the information technology that is critical to organisational success. The effectiveness of the audit depends largely on the quality of the audit program, according to a new ISACA white paper, titled “Information Systems Auditing Tools and Techniques:  Creating Audit Programs.”

According to the guide, the audit process consists of three phases: planning, fieldwork/documentation and reporting/follow-up. The planning phase consists of five key steps.

  1. Determine audit subject.
  2. Define audit objective.
  3. Set audit scope.
  4. Perform pre-audit planning.
  5. Determine audit procedures and steps for data gathering.

“ISACA’s new white paper provides audit and assurance professionals with practical guidance on how to develop audit programs from the ground up,” said Rosemary M. Amato, CMA, CISA,  a director on ISACA’s Board and Director, Deloitte Accountant B.V. “Audit processes are clearly defined by phase with activities clearly described. ISACA’s new guide can be leveraged in your organisation to add value to the audit function.”

Setting the audit scope is critical, according to the white paper, because “the IS auditor will need to understand the IT environment and its components to identify the resources that will be required to conduct a comprehensive evaluation.” A clear scope helps the auditor determine the testing points relevant to the audit’s objective.

Pre-audit planning includes tasks such as conducting a risk assessment, identifying regulatory compliance requirements and determining the resources that will be needed to perform the audit.

The final planning step—determining audit procedures and steps for data gathering—involves activities such as obtaining departmental policies for review, developing methodology to test and verify controls, and developing test scripts plus criteria to evaluate the test.

Once planning is complete, auditors can move on to the fieldwork and documentation phase (acquiring data, testing controls, issue discovery and validation, documenting results) and the reporting phase (gathering report requirements, drafting the report, issuing the report and follow-up), both of which are described in detail in ISACA’s “Information Systems Auditing Tools and Techniques:  IS Audit Reporting” paper.

“Creating Audit Programs” indicates three key success elements: IS auditors should be familiar with standard frameworks, the operating environment of the entity under review and the audit process used internally.

“Creating Audit Programs” and supporting materials, including a related infographic and sample audit program, are available as a free download at

ISACA ( helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.