ISACA: IT Audit Standards, Tools & Phases

Instructor: Sudha Aravindan

Sudha has a Doctor of Education degree in math education and is currently working as a Information Technology Specialist.

Did you know that ISACA recommends that organizations implement an effective audit program? Information System audits ensure that information technology systems operate as expected. In this lesson we will learn about the recommended phases and steps for an ISACA audit program.

What is ISACA?

Brenda is the Systems Administrator of a software development firm. Her company recently decided to conduct an information system audit. The external company they hired for the audit assured Brenda that they would follow ISACA standards for the audit procedures. ISACA (Information Systems Audit and Control Association) is a non-profit, global organization that independently develops and recommends industry standard practices for auditing of Information Systems. The team manager of the auditing company, Leslie, is well versed in the ISACA guidelines, benchmarks and tools for auditing.

Leslie was tasked with the following audit assignment:

  • Review the current process.
  • Perform process analysis to identify areas for improvement, redundancies and vulnerabilities.
  • Prepare a recommendation report for Brenda and her team.

ISACA Audit Phases

Leslie followed the guidelines for the three phases in the ISACA auditing process - Planning, Fieldwork and Reporting. It was important that she adhered to the standards because she did not want the result of her audit work to appear to be subjective and based on her personal opinions.


The first phase in the ISACA auditing process is Planning. Planning involves 5 steps.

  1. Audit Subject: Leslie met with Brenda and her team to identify the area of audit. Brenda is interested in auditing a new process they had recently implemented for an electronic file database. This is a business function audit because it audits a particular business process.
  2. Audit Objective: The objective of this audit, as Leslie defined it, was to review and measure the effectiveness and the impact of the new method on time and resources compared to the old method.
  3. Audit Scope: Brenda wanted to limit the scope of the audit to her department and for a period of the last six months. This was the period during which change occurred and would be beneficial for her to gain additional knowledge about.
  4. Pre-Audit Planning: Leslie met with Brenda and confirmed that the objective and scope were in line with the client's requirements. She then came up with a plan of action that they would follow for the audit process.
  5. Data Sources: One of the most important pieces of information required for an audit is data. Leslie made a note of all the different items she would need to keep in mind for accurate data collection: departmental policies and procedures, regulatory compliance, staff to interview, tools for evaluation, controls, test scripts, test results for accuracy; and methods used for data collection.

Audit Planning Phase - Auditors meet with Clients to discuss Scope and Objectives
Audit Planning


Once the audit is planned and the steps to follow are determined, the next step in the audit process is conducting fieldwork and documenting the processes, results and data as the audit progresses. There are three steps in the fieldwork phase:

  1. Acquire Data: During this phase Leslie and her team requested documents, and conducted in-depth interviews with staff in an effort to gather as much data as possible.
  2. Completion of Audit work: They then followed the steps discussed during the planning phase and completed the audit.
  3. Documentation and Review: Leslie's team made precise and careful notes every step of the way so that they could review an activity at any time. This would help for the team to ensure that there were no loopholes, or errors.


The final stage in the ISACA auditing process is reporting and follow up. Leslie provided her client with a detailed report and included the following topics:

Audit Report
Background Information
Data Collection
Current Policies and Procedures
Appendix A - Data from Interviews
Appendix B - Data from Procedure Review

A section from the audit report recommendation read as follows:


To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account