AN INFORMATION SYSTEMS AUDITOR’S PROFILE

Mariana Carroll and Alta van der Merwe

University of South Africa, Muckleneukrant, Pretoria, 0002, South Africa

Keywords: Information Systems, Information Technology, Auditing, Information Systems Auditing, Knowledge,

Skills; Roles and responsibilities, CAATs.

Abstract: The increasing dependence upon Information Systems (IS) in the last few decades by businesses resulted in

many concerns regarding auditing. Traditional IS auditing changed from auditing ‘around the computer’ to

auditing through and with the computer. Technology is changing rapidly and so is the profession of IS

auditing. As IS auditing is dependent on Information Technology (IT), it is essential that an IS auditor

possesses IT and auditing knowledge to bridge the gap between the IT and auditing professions. In this

paper we reflect on the auditor’s profile in this changing domain, where we first define the roles and

responsibilities expected from IS auditors, describe the basic IT and audit knowledge required from IS

auditors based on the roles and responsibilities identified, describe the soft skills required from IS auditors

to successfully perform an IS audit assignment, define the main types of IS audit tools and techniques used

most often to assist IS auditors in executing IS audit roles and responsibilities and lastly propose the IS

auditor’s profile.

1 INTRODUCTION

In the last decade, people and businesses became

more and more dependent on the use of computer

applications and technology, due to the Information

revolution and rapid development of computer

technology (Cornett, 2004). As a result new

concerns and challenges such as security

vulnerabilities, fraudulent activities and the speed of

transaction processing were experienced within

organisations. This phenomenon also influenced the

auditing field where the internal storage of data and

programs created risks such as the possibility of

unauthorised manipulations to data and programs,

and the possibility of audit trails to disappear (Watne

and Turney, 2002). On the positive side IT inspired

the reengineering of traditional business processes to

promote operations and improve communication

within the organisation and between the organisation

and its customers and suppliers (Hall and Singleton,

2005).

As stated by Ahmed (2003:20), organisations

reached the point where it was “no longer possible to

meet the expectations of users of financial and other

business performance information without using

Information Technology”.

With the increasing use of Information Systems

by most organisations a new audit challenge

emerged. Two, once independent, professions

needed to be integrated into a new emerging

impartial profession, relying on the knowledge,

skills, expertise and experience from both audit and

IT professionals (Pathak, 2004).

The integration of the two professions caused the

focus to shift from manual processes and procedure

testing to include automated application testing.

Although the objectives of an audit remain relatively

unchanged, the process an IS auditor follows in

executing the audit was immensely affected by the

change in Information Technology (Doughty and

O’Driscoll, 2002). This resulted in a specialist

group of IS auditors who deals with systems that are

technology complex and diverse. Hall and Singleton

(2005:3) elaborated that an IT audit is associated

with auditors who use technical skills and

knowledge to audit through the computer system, or

provide audit services where processes of data, or

both, are embedded in technologies.

IS auditors are therefore faced with the challenge

of being involved in the planning and organising of

IT projects, implementation of proposed solutions,

delivery and support of Information Systems and the

monitoring of the process, controls, assurance and

evaluation (Kimpton & Martin, 2001). Therefore, to

390

Carroll M. and van der Merwe A. (2007).

AN INFORMATION SYSTEMS AUDITOR’S PROFILE.

In Proceedings of the Ninth International Conference on Enterprise Information Systems - DISI, pages 390-397

DOI: 10.5220/0002373703900397

 SciTePress

perform the roles and responsibilities required from

IS auditors it is essential for these individuals to

possess some skills and knowledge from both the IT

and auditing professions.

In the past research focused on how IT changes

the role of IS auditors, the available tools for IS

auditors, the scope of IS auditing, the importance of

training, IT governance, IT security, General

Computer Audits, Application Control Audits,

Computer Aided Audit Techniques (CAATs) and

the inclusion of audit software in the curricula for

undergraduate and postgraduate students. IS

auditing is a relatively new field and a limited

number of studies are available on the IS auditor’s

profile.

The purpose of this paper is to reflect on an

investigation done into the components of the IS

auditor’s profile, including the level of IT

knowledge, audit knowledge, the soft skills required

from IS auditors and the IS audit tools and

techniques used to assist the IS auditor in executing

an IS audit assignment.

In section 2 we give a short overview on

supporting theoretical work within IT and auditing.

In section 3 a short description is given on the

research approach used for data gathering. Section 4

reflects on the data gathered. Section 5 follows with

a description of the IS auditor’s profile and section 6

reports on the possible use of the profile.

2 BACKGROUND

Information Technology (IT) is defined by Whitten,

Bentley and Dittman (2001:8) as “… the

combination of computer technology (hardware and

software) with telecommunication technology (data,

image, and voice networks)”. Information Systems

(IS) are defined as “ …an arrangement of people,

data, processes, information presentation, and

information technology that interact to support and

improve day-to-day operations in a business as well

as to support the problem-solving and decision-

making needs of managers and users” (Whitten et

al., 2001:8).

Traditional auditing mainly focused on the

testing of IT processes and controls mitigating

identified business risks as well as the testing of

controls related to the fair representation of the

financial statements. Traditional auditing objectives

are therefore influenced by the impact of IT / IS,

where manual inputs and outputs are no longer

processed and more risks are threatening the security

of businesses, their financial statements and

fraudulent activities. Therefore, the two professions

of IT and auditing need to be integrated to execute

an effective IS audit.

Weber (1999:10) defines IS auditing as: “the

process of collecting and evaluating evidence to

determine whether a computer system safeguards

assets, maintains data integrity, and allows

organisational goals to be achieved effectively and

user resources efficiently”. Hinson (2004:5)

expands on this by stating that computer (IS)

auditing is all about, “… a branch of general

auditing concerned with governance (control) of

information and communication technologies

(computers). Computer auditors primarily study

computer systems and networks from the point of

view of examining the effectiveness of their

technical and procedural controls to minimize risks”.

According to Hall and Singleton (2005:3) an IS

audit is associated with “auditors who use technical

skills and knowledge to audit through the computer

systems, or provide audit services where processes

or data, or both, are embedded in technologies”.

Lucy (1999:44) summarises the definitions

effectively when he stated that “management utilises

Information Systems auditing as a tool for ensuring:

1) the reliability and integrity of information; 2)

compliances with IT policies and procedures; 3) the

safeguarding of IT assets; 4) the economical and

efficient use of IT resources; and 5) the

accomplishment of established IT objectives and

goals”.

It can therefore be concluded that Information

Systems Auditing is the examination of an

Information System and surrounding procedures to

express an opinion as to whether or not the data

involved in processing, from the initiation of the

transaction to its inclusion in the financial

statements, is fairly represented at a specific date, to

ensure completeness, accuracy, validity and

timeliness of data and transactions and to scrutinise

the controls implemented to mitigate identified risks

as well as to provide assurance on the safeguarding

of organisational assets and resources.

The evolution in audit and Information Systems

has forced auditors from auditing around the

computer to auditing with and through the computer

by incorporating the necessary knowledge and skills

from IT specialists. IS Auditors began to understand

that Information Systems can be used to their

advantage and used as a tool rather than be seen as

an adversary. Computer Systems reached the point

where auditors were forced to use computers as the

target of their audit, since all information was

processed internally.

AN INFORMATION SYSTEMS AUDITOR’S PROFILE

391

With emerging technologies such as e-

commerce, data mining, digital signatures, the

Internet and new legislations and statements, the

work for IS auditors keeps on increasing rapidly, as

well as the specialised knowledge and skills needed

by IS auditors.

Therefore, it can be concluded that IS auditors

need to understand the process flow of transactions

or information in Information Systems, which

include technical knowledge and an understanding

of the controls needed to ensure accuracy, validity,

timeliness and completeness of organisational

information, resources and assets. For this reason

the combination of knowledge, skills, experience

and daily roles and responsibilities of IT and

auditing professionals fall under the profession of IS

auditing. Thus, professionals coming from different

backgrounds (IT and/or auditing) are forced to learn

and develop the skills necessary to meet the

demands of IS auditing.

From the above, the question arise: What are the

IT and audit knowledge and soft skills required from

an IS auditor, given that specific auditing tools and

techniques are available to assist the auditor in

executing an IS audit assignment, in order for an IS

auditor to optimally perform his or her daily roles

and fulfil his or her professional responsibilities?

3 RESEARCH APPROACH

For this study a qualitative research approach was

followed, based on a combination of non-empirical

(literature survey) and empirical studies (structured

interviews). This approach was followed to firstly

establish a theoretical understanding of the work

published in this field and secondly to reflect on

practitioners experience and belief regarding the

characteristics of an IS auditor.

The qualitative research data obtained consisted

of two main sources. Firstly secondary information

was derived from the available body of knowledge

through a literature review. The purpose of the

literature review was to present the results of the

work of the existing literature regarding the IT and

auditing professions, specifically the IS auditor’s

roles and responsibilities, the required IT and audit

knowledge, soft skills and available IS audit tools.

The construction research method was followed to

derive, analyse and present a summary from the

literature survey. According to Page and Meyers

(2003:4) the construction research method is defined

as “the structural framework linking a number of

concepts into a much more comprehensive concept,

mega-concept, of a phenomenon that is not directly

observable or measurable”.

Secondly, an IS auditor’s profile was derived

from following a survey approach, which is used to

“enable the researcher to study a population sample

in order to infer characteristics of a population

(generalise findings)” (Page & Meyers, 2003:111).

The survey approach was based on the empirical

study method, which is set based on data about

everyday objects (world 1) as the unit of analysis

(Mouton, 2005). Interview questions were based on

specific items that were asked of all participants,

with the goal of qualifying the responses. This

method is known as structured interviews according

to Page and Meyers (2003).

The structured interviews were constructed based

on a distributed sample selection. The sampling

design method, used to select the sample population,

was based upon judgmental samples. The sample

selection adhered to the following criteria: 1)

Background (IT or Auditing); 2) Years experience in

IS auditing (4 or more); 3) Level (Management or

higher); and 4) Type of audit role (External or

Internal).

A sample of 10 interviewees was selected based

on the different business sectors and whether the

company performs internal or external audits. The

interview population comprised of the following

South African business industries containing IS

auditing divisions: Audit Firms; Government

Departments; Retail Industry; Banking Industry; and

Telecommunications Industry.

Our research only focused on the key, high level

characteristics identified by means of the research

methodology and approach followed. The IS

auditor’s profile therefore also only included these

key characteristics. The identified characteristics

were generalised in a South African context. These

characteristics may differ according to individual,

profession, organisation, circumstance and level of

employment and should only be regarded as a

guideline.

4 DATA INTERPRETATION,

COMPARISON AND SUMMARY

The primary data obtained through structured

interviews was interpreted and compared to the

secondary data obtained by means of the literature

review that was conducted. The research aim was to

combine the primary and secondary data in order to

define an IS auditor’s profile.

ICEIS 2007 - International Conference on Enterprise Information Systems

392

The interpretation, comparison and combination

of the primary (interview response) and secondary

data (literature review) are presented according to

the following main characteristics and/or features: 1)

Roles and Responsibilities of IS auditors; 2)

Knowledge; 3) Soft Skills; and 4) IS Audit Tools

and Techniques. These characteristics and features

will aid in defining the IS auditor’s profile.

4.1 Roles and Responsibilities of an IS

Auditor

Roles and responsibilities set the direction for the

tasks and types of IS audits to be performed. The

roles and responsibilities may vary according to the

level of responsibility. For the purpose of this study,

the roles and responsibilities were divided into three

basic responsibility levels based on the interview

responses, namely: 1) Consultant; 2) Manager; and

3) Director.

Roles and responsibilities and the audit process

set the direction for performing IS audits based on

the type of audit assignment. In order to perform an

IS audit through the defined roles and

responsibilities, IT and audit knowledge, a certain

set of soft skills and IS audit tools and techniques

are required. The roles and responsibilities defined

for the IS auditor’s profile based on the literature

study and interview responses are presented in

Figure 1.

4.2 Knowledge

Based on the literature study conducted, knowledge

is defined as the combined result of formal

education, experience and training, something

gained through listening, reading, learning and/or

observation. Based on the interview responses, the

most common entry routes into the IS auditing

profession or employment requirements were found

to be from either the IT/IS or auditing / accounting

backgrounds. The knowledge required from IS

auditors was therefore divided into IT knowledge

requirements and audit knowledge requirements.

The IT and audit knowledge requirements as per

summary from the secondary (literature) and

primary (interview responses) data, are presented in

Table 1.

In understanding the different concepts of IT and

audit knowledge and the relationship between them,

it can be concluded that audit knowledge should be

applied to the IT knowledge to enable an IS auditor

to successfully executes his or her daily roles and

responsibilities.

The following example will aid in clarifying the

statement that audit knowledge should be applied to

IT knowledge: The audit knowledge concept,

“understanding of the concept of risk” should be

applied to a specific area of IT knowledge

depending on the type of audit assignment and the

scope and objectives of the audit. Therefore, the

auditing concepts of “understanding the concept of

Client Relationship Management, Quality, Practice Management, Development of staff and Control Assurance

Client Relationship Management, Quality, Control Assurance and Management of audit team, resources, time and budget

Client Relationship Management, Quality and Control Assurance

Scoping and

pre-audit

planning

Planning and

preparation

Fieldwork

Reporting and

follow-up

Closure

Identify client

needs

Engagement setup

Ensure

independence

Assist with

engagement setup

Director

Assessment &

management of risk

Monitoring / review of

findings, conclusions

and engagement quality

Monitoring / review of

findings, conclusions

and final report to

management

Final assurance

and follow-up on

open items

Selling and

marketing

Client’s business

Engagement

Planning

Manager

Review of audit

programs and working

papers

Report on risk areas

Reporting & advice to

management

Follow-up on findings

Evaluations

Client satisfaction

survey

Exit interview

Notes for future audits

Client’s business

Responsibility /

objective

Identify risks and

controls

Compile audit program

Consultant

Perform fieldwork

Gathering of evidence

Testing of controls

Identification of risks

Reporting of control

weaknesses (findings

and recommendations

Enhancement of skills

Broadening of

technical skills

Understanding of

methodologies

Figure 1: An IS auditor’s roles and responsibilities.

AN INFORMATION SYSTEMS AUDITOR’S PROFILE

393

risk” may be applied in the IT knowledge area,

“information security” which will entail the risk

associated with information security being defined,

for example: 1) Unauthorised access to application

data and physical assets and resources (e.g. servers);

2) Unlicensed versions of software loaded on the

entity’s machines; and 3) Resources and data are

unprotected against virus attacks.

Given the reasoning of audit knowledge being

applied to IT knowledge, individuals coming from

an auditing background have an advantage, since

these individuals understand the auditing concepts

and are able to easily identify the impact of risks.

However, individuals originating from an IT

background have the advantage of understanding the

more technical and complex IT concepts and can

therefore easily identify risks and controls within the

IT knowledge areas.

The challenge of people coming from different

backgrounds presents the gap between the IT and

auditing professions. Individuals are forced to

interact with each other within the working

environment to transfer some knowledge and skills

especially if the employees are from different

professional backgrounds. Extensive additional

training is also recommended to bridge the gap.

Table 1: IT and audit knowledge.

IT knowledge

Audit knowledge

Application programs / ERP

systems

Understanding of the

concept of risk

Basic Information Systems and

Information Technology general

concepts

Know about applicable

standards and best practices

Programming languages and

procedures

Audit planning

(understanding the objectives

of the audit, the scope of the

audit and the areas of

significance)

Computer communications and

Networks (including routers,

switches and internet)

Audit testing methods

(including compliance

testing, substantive testing

and analytical review

procedures)

Data structures and database

Understanding of the

concept of control

Information security (physical

and logical access)

Understand basic accounting

principles

Information Systems

Management / IT Governance

Business understanding

Operating Systems

Obtaining and interpreting

relevant audit evidence

System analysis, design,

development, testing,

implementation and maintenance

(SDLC)

Independence

Business Continuity and Disaster

Recovery planning

Information Systems Operations

Specialised areas

The IT and audit knowledge required from IS

auditors is considered to be the enabler for the

process of performing an IS audit.

4.3 Soft Skills

IS auditors need to adapt to the different

circumstances and client personnel or client

environments to effectively and efficiently perform

IS audit functions. Having the required IT and audit

knowledge and IS audit tools and techniques is not

sufficient for an IS auditor to successfully executes

an IS audit assignment. In order to define the IS

auditor’s profile, a basic set of soft skills needed by

IS auditors should be defined.

Based on the interview responses, soft skills are

imperative, especially to obtain supporting evidence,

to observe processes, to document conclusions and

findings and to interview staff. The soft skills

required from IS auditors may however differ

according to level of employment, personality,

circumstances, the client environment and the

specific IS audit assignment. The soft skills

preserved as most important from the interview

responses, include the following:

Table 2: Soft skills needed by an IS auditor.

Soft Skills

Analytical / systematic

People’s person / people knowledge

Communication skills (both written and verbal, including

interviewing techniques, persuading, presentation, managerial

communication and negotiating)

Initiative

Managing people, resources, time and budgets (leadership)

Resilience

Good listener

Passion for auditing

Understand client environment / business

Team player

Conflict resolution

Constant learning / seeking new knowledge

Decisive / Judgement

Diligence and detail

Establish rapport

Inquisitiveness

Punctual

See the "bigger picture"

Strength of character

Tact

Tenacity

To illustrate: to be able to successfully complete

step 5 (“reporting and follow-up” – Figure 1) in the

audit process, it is essential that the IS auditor

utilises the following soft skills: 1) Conflict

resolution: unresolved findings are usually a trigger

point for conflict; 2) Communication skills: both

verbal and written; 3) Understanding the client

ICEIS 2007 - International Conference on Enterprise Information Systems

394

business or environment: clients are quickly

annoyed by auditors when recommendations are not

practical to their business environment; and 4)

Strength of character: it sometimes takes strength of

character to stand up to the pressure from a client or

to be tenacious in completing the audit despite

distractions such as a high reliance on the client to

provide information and audit evidence.

The soft skills provided is only a guideline and

only focused on the basic levels of skills required

from IS auditors.

4.4 IS Audit Tools and Techniques

IS audit tools and techniques are part of the solution

to the increasing complexity of applications,

software and networks. IS audit tools and

techniques also enable the auditor to audit through

the computer rather than auditing around the

computer (as in traditional methods).

To define an IS auditor’s profile, it is essential to

list the features which enable the IS auditor to

perform an IS audit assignment. IS audit tools and

techniques are vital in assisting the IS auditor to

evaluate and assess complex detailed transactions in

the fraction of the time of normal manual

evaluations. The following main categories of IS

audit tools and techniques are presented based on the

interpretation of the primary and secondary data: 1)

Generalised audit software: includes CAATs used

for data analysis purposes (e.g. ACL, IDEA); 2)

Specialised analysis tools: these include security

analysis tools (e.g. Sekchek) and application

analysis tools (e.g. analysis tools interrogating SAP

and Oracle applications); 3) Audit methodologies,

standards, guidelines and audit programs: assisting

the auditor in executing IS audit assignments (e.g.

COBIT, COSO framework); 4) General

Applications: these applications include document

management, planning and audit software and

enable IS auditors to create work papers, write

reports and create any other related documents (e.g.

Microsoft office, AuditPro, MyClient).

5 AN IS AUDITOR’S PROFILE

In conclusion, taking the above defined main

characteristics into account and the reasons for their

importance to the IS audit profile, a framework was

developed, illustrating an IS auditor’s profile (Figure

2).

Audit knowledge needs to be applied to IT

knowledge. Knowledge is regarded as the enabler

for the execution of an IS audit, since an IS audit

assignment cannot be completed without the

individual having adequate knowledge. The roles

and responsibilities of an IS auditor are presented

based on the main steps performed in an IS audit per

responsibility level. Soft skills are regarded as the

drivers of the audit to ensure successful completion

and are applicable across all responsibility levels.

Soft skills though, are usually more mature at

director level than, for instance, at consultant level.

The audit tools and techniques are regarded as the

supporting functions available to assist the IS auditor

in performing IS audits (per the defined audit

process).

It is important to note that the IS auditor’s profile

as presented in this paper, is not the only or optimum

IS auditor’s profile, since the characteristics may

differ according to person and business or

educational institution. The profile provided is only

a guideline and focused on the basic level of IT and

auditing skills, soft skills, audit tools and techniques

and roles and responsibilities.

Future studies may focus on defining the IS

auditor’s profile in more detail, or establishing more

than one or optimum profiles. Consideration could

also be given to the following questions: 1) Could

people with different profiles be successful IS

auditors? 2) Is it realistic to expect all these

characteristics from one person (depending on the

level)? 3) Given the global shortage of IS auditors,

where do we usually compromise on the ideal

profile?

6 RECOMMENDED USE OF THE

PROFILE

By determining the roles and responsibilities and the

concepts applicable to IS auditing, the knowledge

and skills required and the IS audit tools and

techniques used in supporting the IS auditor, the

following institutions and individuals can benefit by

the established IS auditor’s profile:

 Educational institutions can incorporate the

concepts presented in the IS audit profile in the

curricula of students, especially the concepts

related to IT knowledge, audit knowledge and the

IS audit tools and techniques as listed in Figure 2.

These terms or concepts can be used to establish

the minimum level of IT and audit knowledge

requirements. The IS audit tools and techniques,

especially the generalised audit software (e.g.

ACL or IDEA) could also be used as a guideline

AN INFORMATION SYSTEMS AUDITOR’S PROFILE

395

as to what types of IS audit tools are available and

mostly utilised by organisations (according to the

interview responses);

 The auditing profession should be able to utilise

the profile to assess employees and benchmark

them against their progress according to the

defined concepts. For example: according to the

responsibility matrix, it is required that an IS audit

manager reviews audit programs and work papers

during the fieldwork phase (step 3, refer to Figure

2). To enable the manager to perform a review,

the necessary audit knowledge (e.g.

“Understanding of the concept of risk”; “Audit

testing methods used”; “Business understanding”;

“Know about application standards and best

practise”; “Understand the concept of control”;

and “Relevant audit evidence”) should be applied

to the relevant IT knowledge area (as per the

scope and objective of the audit defined in the

planning phase (steps 1 & 2) (e.g. “Application

programs / ERP systems”). The following IS

audit tools and techniques are applicable for step

3 (review of work papers by manager): 1)

Generalised audit software (since it is an

application review, ACL, IDEA or SQL queries

can be used to perform data analysis which the

manager should review); 2) Audit methodologies,

standards, guidelines and best practise (the

manager should ensure that the work performed

adheres to audit methodologies and meets all audit

objectives. Findings can also be compared to best

practise to identify weaknesses (e.g. Password

settings should be 6 characters or more); and 3)

General application (document management

applications (ensure version control of working

papers) and Microsoft office (Word and Excel) for

work paper documentation). The soft skills (e.g.

“Communication skills” (verbal and written);

“Managing people” (audit team); “Diligence and

detail” (to ensure accuracy, completeness, validity

and timeliness of work papers); “See the bigger

picture” (see audit as a whole and not as isolated

parts per working papers); and “Decisive /

Judgment” (decide and make judgment calls on

weaknesses or risks identified and reporting to

management) drive the manager to successfully

complete step 3 in the audit process;

 Professional institutions should also be able to use

the IS auditor’s profile to recruit employees based

on the required level of knowledge and skills.

They can also use the roles and responsibilities

illustrated to define the job descriptions of

employees at the different responsibility levels;

and

 Individuals in the IS auditing profession can

define their roles and responsibilities to

successfully execute audit assignments and

benchmark themselves in the IS auditing

profession (refer to the example above). They can

use the knowledge and skills base to evaluate their

IS auditor’s Profile

 Understanding of the concept of risk

 Audit testing m ethods

 Business understanding

 Know about applicable standards and best practices

 Understanding of the concept of control

 Relevant Audit evidence

 Audit planning

 Understand basic accounting principles

 Independence concepts

Audit K now ledge

IT Knowledge

 Application programs / ERP systems

 Information security (physical and logical access)

 Basic Inform ation sy stem s and Inform ation

Technology general concepts

 Information system m anagem ent / IT governance

 Programming languages and procedures

 Operating Systems

 Computer Comm unications and Networks

 SDLC

 Specialized areas

 Inform ation System s O p eratio ns

 Data structures and database

 Business Continuity and Disaster Recovery planning

IS audit tools & techniques

 Generalized audit software

 Specia lised analy sis tools

 Audit Methodologies, standards, guidelines and audit programs

 General Applications

Roles & Responsibilities

Audit

Process

 Analytical / systematic

 Conflict resolution

 Good listener

 People’s person / people know ledge

 Constant learning / seeking new knowledge

 Passion for auditing

 Communication skills

 Managing people, resources, time and budgets (leadership)

 Understand client environment / business

 Initiative

 Diligence and detail

 Team player

 Establish rapport

 Tenacity

 Resilience

 Inquisitiveness

 See the "bigger picture"

 Punctual

 Strength of character

 Tact

 Decisive / Judgment

Soft Skills

Applied

Enabler

Driver

Support

Client Relationship M anagem ent, Quality, Practice Managem ent, Developm ent of staff and C ontrol Assurance

Client Relationship Management, Quality, Control Assurance and Managem ent of audit team, resources, time and budget

Client Relationship Management, Quality and Control Assurance

Scoping and

pre-audit

planning

Planning and

preparation

Fieldwork

Reporting and

follow -up

Closure

Identify client

needs

Engagement

setup

Ensure

independence

Assist with

Engagement

setup

Director

Assessment &

management of risk

Monitoring / review of

findings, conclusions

and engagement

quality

Monitoring / review of

findings, conclusions

and final report to

management

Final assurance

and follow-up on

open items

Selling and

marketing

Client’s business

Engagement

Planning

Manager

Review of audit

programs and working

papers

Report on risk areas

Reporting & A dvice to

management

Follow-up on findings

Evaluations

Client satisfaction

survey

Exist interview

Notes for future

audits

Client’s business

Responsibility /

objective

Identify risks and

controls

Compile audit program

Consultant

Perform fieldw ork

Gathering of evidence

Testing of controls

Identificatio n of risk s

Reporting of control

weaknesses (findings

and recom m endations

Enhancement of

skills

Broadening of

technical skills

Understanding of

methodologies

Figure 2: An IS auditor’s profile.

ICEIS 2007 - International Conference on Enterprise Information Systems

396

current knowledge and skills, identify gaps and

work towards the desired level.

7 CONCLUSION

In this paper we reflected on a qualitative study done

where we defined the IS auditor’s profile according

to the roles and responsibilities, knowledge, skills

and IS audit tools and techniques needed by IS

auditor’s to successfully execute an IS audit

assignment.

This reflection on the auditor’s profile

contributes to the existing body of knowledge by

means of enhancing the definitions related to the

roles and responsibilities, knowledge, skills and IS

audit tools and techniques available and through

insights into the relationship between these concepts

as illustrated by the IS auditor’s profile.

REFERENCES

Ahmed, A. 2003. The Level of IT/IS Skills in

Accounting Programmes in British Universities.

Management Research News, 26(12):20-58.

Cornett, C., 2004. The Problem of Computer Dependence.

[On-line].Available at www.catrionacornett.com/

portfolio/stsessay2.doc

Doughty, K., O’Driscoll, J. 2002. Information Technology

Auditing and Facilitated Control Self-assurance.

Information Systems Control Journal, 4:33-38.

Hall, J.A., Singleton, T. 2005. Information Technology

Auditing and Assurance. Thomson (South Western).

Florida, 2

ed.

Hinson, G. 2004. Frequently Asked Questions about

Computer Auditing. IsecT Ltd. p. 1-28.

Kimpton, C., Martin, D. 2001. Overview of Principal IT

Evaluation Models: Tools for IT Auditors. Information

Systems Control Journal, 5:49-53.

Lucy, R.F. 1999. IS Auditing: The State of the Profession

Going into the 21

Century. Information Systems

Audit & Control Journal, 4:44-50.

Mouton, J. 2005. How to succeed in your Master’s and

Doctoral Studies. A South African guide and

Resource book. Van Schaik Publishers. Pretoria.

Page, C., Meyers, D. 2003. Applied Reseach Design for

Business and Management. The McCraw-Hill

Companies. Inc. Sydney.

Pathak, J. 2004. Standards & an IT Auditor.

[Online].Available:http://www.auditnet.org/ articles

/Standards%20Article.html.

Watne, D.A., TURNEY, P.B.B. 2002. Auditing EDP

Systems. Prentice Hall. South Africa, 2

ed.

Weber, R. 1999. Information Systems Control and Audit.

Prentice Hall. Englewood Cliffs.

Whitten, J.L., Bentley, L.D., Dittman, K.C. 2001. Systems

Analysis and Design Method. McCraw-Hill Higher

Education. New York, 5

ed.

AN INFORMATION SYSTEMS AUDITOR’S PROFILE

397