isaca-配套执行准则ITAFTM2208信息技术审计抽样 TAF™ Companion Performance Guidelines 2208 Information Technology Audit Sampling_第1页
isaca-配套执行准则ITAFTM2208信息技术审计抽样 TAF™ Companion Performance Guidelines 2208 Information Technology Audit Sampling_第2页
isaca-配套执行准则ITAFTM2208信息技术审计抽样 TAF™ Companion Performance Guidelines 2208 Information Technology Audit Sampling_第3页
isaca-配套执行准则ITAFTM2208信息技术审计抽样 TAF™ Companion Performance Guidelines 2208 Information Technology Audit Sampling_第4页
isaca-配套执行准则ITAFTM2208信息技术审计抽样 TAF™ Companion Performance Guidelines 2208 Information Technology Audit Sampling_第5页
已阅读5页,还剩39页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

ITAF™Companion

PerformanceGuidelines2208

InformationTechnologyAuditSampling

2

AboutISACA

ISACA®(

)isaglobalcommunityadvancingindividualsandorganizationsintheirpursuitofdigital

trust.Formorethan50years,ISACAhasequippedindividualsandenterpriseswiththeknowledge,credentials,

education,trainingandcommunitytoprogresstheircareers,transformtheirorganizations,andbuildamoretrusted

andethicaldigitalworld.ISACAisaglobalprofessionalassociationandlearningorganizationthatleveragesthe

expertiseofits180,000+memberswhoworkindigitaltrustfieldssuchasinformationsecurity,governance,assurance,risk,privacyandquality.Ithasapresencein188countries,including225chaptersworldwide.ThroughtheISACA

Foundation,ISACAsupportsITeducationandcareerpathwaysforunderresourcedandunderrepresentedpopulations.

Disclaimer

ISACAhasdesignedandcreatedITAF™CompanionPerformanceGuidelines2208:InformationTechnologyAudit

Sampling(the“Work”)primarilyasaneducationalresourceforprofessionals.ISACAmakesnoclaimthatuseofanyoftheWorkwillassureasuccessfuloutcome.TheWorkshouldnotbeconsideredinclusiveofallproperinformation,proceduresandtestsorexclusiveofotherinformation,proceduresandteststhatarereasonablydirectedtoobtaining

thesameresults.Indeterminingtheproprietyofanyspecificinformation,procedureortest,professionalsshould

applytheirownprofessionaljudgmenttothespecificcircumstancespresentedbytheparticularsystemsorinformationtechnologyenvironment.

ReservationofRights

©2026ISACA.Allrightsreserved.Nopartofthispublicationmaybeused,copied,reproduced,modified,distributed,displayed,storedinaretrievalsystemortransmittedinanyformbyanymeans(electronic,mechanical,photocopying,recordingorotherwise)withoutthepriorwrittenauthorizationofISACA.

ISACA

1700E.GolfRoad,Suite400

Schaumburg,IL60173,USA

Phone:+1.847.660.5505

Fax:+1.847.253.1755

Support:

Website:

ParticipateintheISACAOnlineForums:

/onlineforums

X:

/ISACANews

LinkedIn:/company/isaca

Facebook:/ISACAGlobal

Instagram:/isacanews/

ITAF™CompanionPerformanceGuidelines2208:InformationTechnologyAuditSampling

ACKNOWLEDGMENTS

3

Acknowledgments

ISACAwishestorecognize:

LeadDeveloper

MaryCarmichael,CISA,CISM,CRISC,CPA,CFE,MomentumTechnology,Canada

ITAuditAdvisoryGroup

KananAliyev,CISA,CRISC,CDPSE,CISSP,NEQSOLHolding,Azerbaijan

DavidBerkelmans,CISA,AAIA,Anchoram,Australia

GabrielMarinoBrandi,CISA,CDPSE,CIA,DPO,EY,Brazil

AgekeCalvince,CISA,ISO/IEC27001:2022LeadAuditor,ISO/IEC42001:2023,GAInsuranceLtd.,KenyaSharadGupta,CISA,Canada

TinLatt,MohamedAhmedJamal,CISA,CISM,CGEIT,CIA,DBA,ISO/IEC27001LeadAuditor,PCIP,MyanmarMarkLedman,CISA,USA

EsanjuMaseka,CISA,KMPG,Australia

GabrielSanchez,CISA,Microsoft,USA

BoardofDirectors

JohnDeSantis,Chair,FormerChairmanandChiefExecutiveOfficer,HyTrust,Inc.,USA

NielHarper,Vice-Chair,CISA,CRISC,CDPSE,CISSP,NACD.DC,ChiefInformationSecurityOfficerandData

ProtectionOfficer,Doodle,FormerChiefInformationSecurityOfficer,UnitedNationsOfficeforProjectServices(UNOPS),USA

StephenGilfus,ManagingDirector,OversightVenturesLLC,Chairman,GilfusEducationGroupandFounder,BlackboardInc.,USA

GabrielaHernandez-Cardoso,NACD.DC,FormerPresidentandCEO,GEMexico,IndependentBoardMember,Mexico

JasonLau,CISA,CISM,CGEIT,CRISC,CDPSE,CIPM,CIPP/E,CIPT,CISSP,FIP,HCISPP,ChiefInformationSecurityOfficer,

C

,Singapore

MassimoMigliuolo,IndependentBoardMember,Malaysia

JamieNorton,CISA,CISM,CGEIT,CISSP,CIPM,Partner,McGrathNicol,Australia

MaureenO’Connell,NACD.DC,BoardChair,AcaciaResearch(NASDAQ),FormerChiefFinancialOfficerandChief

AdministrationOfficer,Scholastic,Inc.,USA

ErikPrusch,ChiefExecutiveOfficer,ISACA,USA

AsafWeisberg,CISA,CISM,CGEIT,CRISC,CDPSE,CSX-P,ChiefExecutiveOfficer,introSightLtd.,Israel

PamelaNigro,ISACABoardChair2022-2023,CISA,CGEIT,CRISC,CDPSE,CRMA,VicePresident,Security,Medecision,USA

TraceyDedrick,ISACABoardChair,2020-2021,FormerExecutiveVicePresidentandHeadofEnterpriseRiskManagement,SantanderHoldings,USA

BrennanP.Baybeck,ISACABoardChair,2019-2020,CISA,CISM,CRISC,CISSP,SeniorVicePresidentandChiefInformationSecurityOfficerforCustomerServices,OracleCorporation,USA

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

4

Pageintentionallyleftblank

TABLEOFCONTENTS

5

TABLEOFCONTENTS

Chapter1.Introduction 7

PurposeofInformationTechnologyAuditSamplingGuidelines(Guidelines2208) 7

RelationshiptoITAF 7

ApplicationandUse 7

ScopeandTechnologyUpdates 8

IntegrationWithISACA’sBroaderGuidance 8

TermsandDefinitions 8

Chapter2.PerformanceGuidelines2208:InformationTechnologyAudit

Sampling 9

2208.lIntroduction 9

2208.2Sampling 9

2208.3DesignoftheSample ll

2208.4SelectionoftheSample l9

2208.5EvaluationofSampleResults 23

2208.6Documentation 24

AppendixA.RelatedStandards 27

AppendixB.RelatedGuidelines 29

AppendixC.TermsandDefinitions 31

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

6

Pageintentionallyleftblank

CHAPTER1INTRODUCTION

7

Chapter1

Introduction

ISACA’sInformationTechnologyAuditFramework(ITAF™)isacomprehensiveframeworkthat:

•EstablishesstandardsthataddressITauditandassurancepractitioners’rolesandresponsibilities,ethics,expectedprofessionalbehavior,andrequiredknowledgeandskills

•DefinestermsandconceptsspecifictoITauditandassurance

•Providesguidanceandtechniquesforplanning,performing,andreportingofITauditandassuranceengagements

PurposeofInformationTechnologyAuditSamplingGuidelines(Guidelines2208)

TheInformationTechnologyAuditSamplingGuidelines(Guidelines2208)havebeendevelopedasacompaniontoITAF.Theseguidelines:

•SupportITauditandassurancepractitionersinapplyingsamplingmethodstodrawvalidconclusionsaboutapopulationwhenauditproceduresareappliedtolessthan100percentofthatpopulation

•Promoteaconsistent,risk-basedapproachtothedesign,selection,andevaluationofsamplesinITauditandassuranceengagements

•Strengthenthereliability,transparency,andefficiencyofauditevidencederivedfromsamplingtechniques

TheseguidelinessupportITauditandassurancepractitionersinapplyingeffective,technology-enabledsampling

techniquesthatareconsistentwithISACA’sITAFstandards.Theyareintendedtobeusedacrossarangeof

engagements,includingITgeneralcontrols,applicationcontrols,andcybersecurityreviewstoensurethatsampling

proceduresproducereliable,evidence-basedconclusions.ByapplyingGuidelines2208,practitionerscanenhancetheobjectivityandconsistencyofsamplingresultsandbetteraligntheirworkwithauditobjectivesandprofessional

standards.

RelationshiptoITAF

AlthoughthesecompanionguidelinesdonotcorrespondtoaspecificITAFstandard,theirnumberingalignswiththeITAFframeworkstructuretomaintainconsistencyamongrelatedguidance.Thegeneral,performance,and

reportingguidanceseriesarenumbered2000,2200,and2400,respectively.Guidelines2208followsthisschemeandcomplementsthestandardsthataddressITauditplanning,execution,andreporting.

ApplicationandUse

Adherencetotheseguidelinesisrecommendedbutnotmandatory.Practitioners:

•Mayexerciseprofessionaljudgmentandflexibilityintheirapplicationoftheguidelines,providedthatdeviationsareproperlyjustifiedanddocumented

•Considertheguidelinesasabest-practicereferencefortheplanning,design,execution,anddevelopmentofsampleconclusionsinauditsamplingactivities.

•Recognizethat,whiletheguidelinesmaynotapplyinallcircumstances,theyrepresentanauthoritativeframeworkforconductingeffective,technology-enabledauditsampling.

TheintentofGuidelines2208istopromotequality,consistency,andtransparencyinsamplingmethodologiesappliedduringITauditandassuranceengagements,enablingpractitionerstodeliverreliable,evidence-basedconclusionsinincreasinglydigitalanddata-drivenenvironments.

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

8

ScopeandTechnologyUpdates

Astechnologyevolves,itisimpactinghowITauditandassurancepractitionersplanandconducttheirwork.In

responsetothesedevelopments,ISACAhasupdatedGuidelines2208:InformationTechnologyAuditSamplingto

betterreflectdata-drivenandtechnology-enabledauditsamplingapproaches.TherevisedguidelinesincorporatetheseadvancementswhilemaintainingISACA’scoreprinciplesofprofessionaljudgment,sufficientevidence,andsound

auditdocumentation,ensuringthatauditsamplingremainsbothrelevantandalignedwithtoday’spractices.

IntegrationWithISACA’sBroaderGuidance

PractitionersareencouragedtouseISACA’sportfolioofprofessionalguidance,includingrelevantframeworks,auditprograms,whitepapers,publications,andtoolstoenhanceauditqualityandstaycurrentwithevolvingtechnologiesandtheirimpactonauditprocesses.

Byintegratingtheseresourcesintoauditsamplingpractices,practitionerscanstrengthentheirunderstandingof

emergingtechnologiesandmaintainconsistencywithrecognizedbestpractices.Thisholisticapproachsupports

effectiveauditplanning,execution,andevaluation,enablingthedeliveryofhigh-quality,technology-informedauditandassuranceengagements.

TermsandDefinitions

Throughouttheseguidelines,somecommonwordshavespecificmeaningsthatapplytothemostcommontypesofengagementsperformedbyITauditandassurancepractitioners.Fortheseinstances,adefinitionisprovidedinAppendixCtoensurethatthemeaningsofthesewords,withinthecontextoftheseguidelines,areunderstoodandconsistentlyapplied.

Wherepractical,ITAFtermsanddefinitionsgenerallyareconsistentwithcommonlyusedterminologyinthepracticeofprofessionalauditingandininformationtechnologyandsecurity;however,practitionersshouldconsultthecurrentoriginalsourcestandardsrelevanttothespecifictypeofengagementtobeperformed.Thiswillensurealignmentofterminologywiththeoriginalsourcestandardsthatarebeingfollowed.

CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

9

Chapter2

PerformanceGuidelines2208:InformationTechnologyAuditSampling

ThepurposeoftheseguidelinesistoassistITauditandassurancepractitionersinthedesign,selection,andevaluationofauditsamplestoobtainsufficientandappropriateevidencesupportingauditconclusions.

Practitionersshouldconsidertheseguidelineswhendetermininghowtoimplementrelatedstandards(see

A

RelatedStandards)andrelatedguidelines(see

B

RelatedGuidelines),useprofessionaljudgmentintheirapplication,be

preparedtojustifyanydeparture,andseekadditionalguidanceifnecessary.

Whereuncertaintyorcomplexityarises,particularlyintechnology-drivenordata-intensiveenvironments,practitionersshouldseekadditionalguidanceorconsultsubjectmatterexpertstoensurethesamplingapproachremainsappropriateandreliable.

2208.1Introduction

Theguidelines’contentsectionsarestructuredtoprovideinformationonthefollowingkeyauditsamplingtopics:

•2208.2Sampling—Definesauditsampling,itsobjectives,andwhentoapplyoravoidit,includingguidanceonusingstatistical,nonstatistical,anddata-drivensamplingapproaches

•2208.3DesignoftheSample—Providesdirectiononplanningandstructuringsamplesusingvarioustools

tooptimizeefficiency,representativeness,andriskcoverage,whileensuringdatacompletenessandpopulationintegrity

•2208.4SelectionoftheSample—Explainshowtoselectrepresentativesamplesthroughcontrolled,unbiased,andreproduciblemethods,supportedbystatistical,nonstatistical,andautomatedselectiontechniques

•2208.5EvaluationofSampleResults—Describeshowtoanalyzeandinterpretsamplingresultstoassesserrorrates,identifytrends,andvalidateconclusions

•2208.6Documentation—Outlinesrequirementsforrecordingsamplingobjectives,parameters,tools,andresults,ensuringtransparency,reproducibility,andaudittraceability

2208.2Sampling

SamplingenablesITauditandassurancepractitionerstoobtainsufficientandappropriateevidencewithoutexaminingeveryiteminapopulation.Theapproachshouldalignwiththeaudit’sobjectives,riskassessment,anddata

characteristics,ensuringthatresultsarerepresentativeandreliable.Theseguidelinesoutlinewhenandhowsamplingshouldbeapplied,themethodsavailable,andthecircumstanceswherealternativeapproaches,suchasfull-populationtestingordata-drivenassurance,maybemoreeffective.

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

10

Guidelines

2208.2.1

RecognizetheLimitationsofReviewingAllInformation

Informinganauditopinionorconclusion,practitionersoftendonotexaminetheentirepopulationof

availableinformation,asdoingsomaybeimpracticalorinefficient.Whenafullreviewisnotfeasible

duetoconstraintssuchastime,resources,ordatavolume,practitionersshouldapplyappropriate

samplingtechniquestoobtainsufficientandappropriateevidencethatsupportsreliableanddefensibleconclusions.

Inselectingsamples,auditorsshouldalsoconsiderthetimelinessandrelevanceofthedata—for

example,focusingonrecenttransactionsandaccountingforanyseasonaloroperationalvariations.Usingoutdatedinformationmayresultinconclusionsthatdonotreflectcurrentprocessesorrisk,particularlyinrapidlyevolvingITenvironments.

2208.2.2

DetermineAuditSamplingMethodtoReachAppropriateConclusions

Practitionersshouldselectthesamplingmethod,statistical,nonstatistical,ordata-driven(analytics-

enabled),thatbestsupportstheauditobjectives,riskfocus,andcharacteristicsofthepopulationbeingtested.Samplingmethodsinclude:

•Statisticalsampling—Usesprobability-basedselection(e.g.,random,systematic,orstratified)andisappropriatewhenconclusionsmustrepresenttheentirepopulationorrequiremeasurable

confidencelevels.

■Forexample,selectingarandomsampleof200useraccesschangesfromafullyear’sactivitytoestimatecomplianceerrorrates.

•Nonstatisticalsampling—Reliesonprofessionaljudgmenttotargetitemsbasedonrisk,materiality,orcontrolsignificance.Suitableforfocusedorexploratorytestingwherepopulationvariabilityis

limitedorwellunderstood.

■Forexample,reviewingallprivilegedaccountchangesorhigh-valuefinancialtransactionsduringaspecificmonth.

•Data-drivensampling—Usesauditdataanalyticsorautomatedtoolstoselect,stratify,ortestlargedatasets,improvingcoverageandprecisionindata-richorcontinuousauditingenvironments.

■Forexample,applyingdataanalyticstoidentifyoutliersorunusualtransactionsacrossmillionsofsystemlogs.

•Hybridapproaches—Combineselementsofmultipleapproachestoimproveefficiency,consistency,andassurancecoverage.

■Forexample,apractitionermayusedata-drivensamplingtoidentifyhigh-risktransactions

withinalargedataset,thenapplystatisticalsamplingtotestarepresentativesubsetofthosetransactionsfordetailedevidence.

CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

11

Guidelines

2208.2.3

IdentifySituationsWhereitisInappropriatetoUseSampling

Practitionersshouldassesswhethertheuseofsamplingsupportstheauditobjectives,considering

thecharacteristicsofthedata,systems,andcontrolenvironment.Incertaincircumstances,alternativetestingmethodsmayprovidemorereliableorefficientassurance.Circumstanceswheresamplingmaybeinappropriateinclude:

•Evidenceordatalimitationsexist:

■Controlsorevidencecannotbeobservedorverified,suchaswhensystemlogs,approvalworkflows,ortransactionrecordsareincomplete,inaccessible,ormissing.

■Dataquality,completeness,orpopulationintegritycannotbeconfirmed,includingcaseswhereextractionlogicisflawed,formatsareinconsistent,orsource-to-reportreconciliationcannotbeperformed.

•Automationoranalyticalalternativesareused:

■Automatedorcontinuousauditingtoolscanefficientlytest100%oftransactionsorcontrolactivities,providinggreaterassurancethansample-basedtesting.

■Targeteddataanalytics,riskmodeling,oranomalydetectioncanidentifyhigh-riskitemsorexceptionsmoreeffectivelythanrandomorrepresentativesampling.

■Systemconfigurations,automatedworkflows,orembeddedcontrolsalreadyprovide

comprehensiveassurancecoveragethateliminatestheneedfortransaction-levelsampling.

•Populationcharacteristicsdonotwarrantsampling:

■Thepopulationissmallorhomogeneous,makingfulltestingmoreefficientandpracticalthansampling.

■Thepopulationisunstableordynamic,suchascontinuouslyupdatingdatasetsorreal-timelogsthatcannotbereliablydefinedorfrozenforsamplingpurposes.

•Riskorcomplianceconsiderationsarepresent:

■High-riskorcriticalitemsmayrequirefulltestingbecauseevenasingleerrorcouldhavesignificantfinancial,operational,orsecurityconsequences.

■Regulatory,legal,orcontractualobligationsmandatecompletetestingorverificationofcertaintransactions,controls,orconfigurations.

Practitionersshouldapplyprofessionaljudgmenttodeterminewhetherfull-populationtesting,targeteddataanalytics,orembeddedcontrolevaluationprovidesamoreappropriatealternativetosampling.

Themostsuitableapproachshouldconsiderfactorssuchasauditobjectives,datareliability,systemcapabilities,andresourceavailability.

2208.3DesignoftheSample

Effectivesampledesignensuresthataudittestingisalignedwiththeauditobjectives,riskassessment,and

populationcharacteristics,allowingpractitionerstoobtainsufficientandappropriateevidenceefficiently.Thedesignprocessshouldconsiderthenatureofcontrols,expectederrors,andavailabledata,andusetechnologytoimprove

representativeness,efficiency,andassurancequality.

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

12

Guidelines

2208.3.1

DesignanAuditSampleAlignedwithObjectives,Risk,andPopulationCharacteristics

Whendesigningtheauditsample,practitionersshouldconsiderthefollowing:

•Definetheauditpurposeandapproach:

■Definetheauditobjectivesandidentifytheproceduresmostlikelytoachievethem.

■Considerthenatureofthecontrol—manual,automated,orhybrid—andhowitinfluencessamplingdesignandevidenceneeds.

•Understandthepopulation:

■Assesspopulationcharacteristicstoconfirmcompleteness,accuracy,andrelevancetotheauditobjectives.

■Identifysubgroupsorstratificationswithinthepopulationthatmayrequireseparateordifferentiatedsampling.

•Selectandvalidatethesamplingmethod:

■Selectthesamplingandselectionmethod(statistical,nonstatistical,data-driven,orhybrid)thatbestsupportstheauditobjectivesandriskassessment.

■Evaluatethereliabilityofavailableevidence,includingsystem-generateddata,reports,orconfigurationrecords.

■Assesspotentialerrorconditionsandrootcausesthatmayaffectcontrolperformanceorinterpretationofresults.

•Applytechnologyapproachesandmaintainquality:

■Usedataanalyticsorautomatedtestingtools,whereappropriate,todesignefficientandrepresentativesamplesthatenhanceassurancecoverage.

■AsauditdataenvironmentsevolvewithemergingtechnologiessuchasAI-enabledsystemsandadvancedanalyticstools,practitionersshouldevaluatehowthesedevelopmentsaffectdata

reliabilityandsamplingstrategies.e.g.,assessingdataprovenance,modeltransparency,andtheintegrityofautomatedprocessestoensurereliableauditconclusions.

■Maintainalignmentwithprofessionalstandardsandauditqualityrequirementsthroughoutthesamplingprocess.Forexample,samplingdesigndecisions,includingobjectives,parameters,

methods,andrationale,shouldbedocumentedtoensuretransparency,reproducibility,andaudittraceability.

CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

13

Guidelines

2208.3.2

ConsiderKeyFactorsWhenDefiningtheSampleDesign

Whendefiningthesampledesign,ITauditpractitionersshouldconsiderfactorsthatensurethesampleisrepresentative,reliable,andalignedwiththeaudit’sobjectivesandriskfocus.

Thesefactorsinclude:

•Definethesamplingpurposeandunit:

■Clarifythepurposeofthesampleinrelationtotheauditobjectivesanddesiredlevelofassurance.

■Identifythesamplingunit(e.g.,transaction,configuration,user,systemevent)toensureconsistencyinpopulationdefinitionandtesting.

•Understandthepopulationanditsstructure:

■Definethepopulationclearly,confirmingcompleteness,accuracy,andrelevancetotheauditscope.

■Identifysubpopulationsornaturalgroupingsthatrequireseparateorstratifiedsamplingforoperationalrelevance.

■Considersmallorrarepopulations,includinglow-frequencyoradverseevents,thatmaywarrantcompletetesting.

■Accountforoutliersoranomaliesthatcoulddistortrepresentativenessorrequireadditionalanalysis.

•Evaluaterisk,error,anddistributionfactors:

■Determinetheacceptablelevelofsamplingriskandthecorrespondingsamplesizeneededtoachievesufficientassurance,consideringmanagement’sdefinedriskappetiteandauditmaterialitythresholds.

■Establishthetolerableerrorrateandassessitsimpactonauditconclusions.

■Considertheunderlyingexpecteddatadistribution(e.g.,normal,binomial,Poisson,orexponential)whendeterminingsamplingtechniques.

■Assessbehavioralorperformancetrendsovertime(e.g.,seasonality,systemdegradation)thatmayinfluencesamplerepresentativeness.

•Integratedatareliabilityandanalyticalsupport:

■Evaluatetheintegrityandreliabilityofsourcedata,includingdatalineageandtransformationprocesses.

■Usedatafromexternalorsupportingtoolstoconfirmorcomplementsamplingresults,ensuringalignmentwithauditevidencerequirements.

■Applydataanalyticsandautomationcapabilitiesincludingdatareconciliationscripts,predictivemodeling,andanomalydetection,totestpopulationcompleteness,stratifydatasets,and

validatesamplingparametersinrealtime.

ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

14

Guidelines

2208.3.3

DeterminethePurposeoftheSample—Compliancevs.SubstantiveTesting

Whendesigningthesample,practitionersshoulddeterminewhetheritisintendedforcompliancetesting(toevaluatecontroleffectiveness)orsubstantivetesting(toverifydataaccuracyor

completeness).Thesamplingmethod,size,andevaluationcriteriashouldreflectthisdistinction.Compliancetestingisusedtoobtainauditevidenceonthedesignandoperatingeffectiveness

ofcontrolsduringtheauditperiod.Samplinghelpsdeterminewhethercontrolsarefunctioningasintended.Examplesofcompliancetestinginclude:

•Reviewofuseraccessmanagementcontrols(e.g.,appropriatenessofaccessrights,periodicaccessreviews)

•Examinationofchangemanagementactivities,suchasprogramchangeapprovalsortestingdocumentation

Substantivetestingisusedtoobtainauditevidenceonthecompleteness,accuracy,orexistenceof

specifictransactions,configurations,ordataelements.Samplingfocusesonverifyingindividualitemsordatarecords.Examplesofsubstantivetestinginclude:

•Re-performingautomatedorcomplexcalculations(e.g.,system-calculatedinterest,depreciation)onarepresentativesampleoftransactions

•Tracingasampleoftransactionstosupportingdocumentation(e.g.,invoices,approvals,orconfigurationevidence)

2208.3.4

SelecttheAppropriateSamplingUnitandMethod

Thesamplingunitdependsonthepurposeofthesample.Forcompliancetestingofcontrolsinwhichthesamplingunitisaneventortransaction(e.g.,acontrolsuchasauthorizationofaninvoice),

attributesamplingisusuallyused.Thismethodhelpsdeterminewhetherspecificcharacteristicsor

controlattributesarepresentwithinthepopulation.Forsubstantivetestinginwhichthesamplingunitisoftenmonetary(e.g.,dollars,balances,orquantities),variablesamplingisfrequentlyapplied.Thismethodhelpsmeasurethemonetaryorquantitativeimpactofanydifferencesormisstatementsinthepopulation.

2208.3.5

DefineandValidatethePopulationforSampling

Thepopulationcomprisesallitemsordataelementssubjecttothecontrolorprocessunderreview.Practitionersshouldensurethatthepopulationisaccuratelydefined,complete,andrelevanttotheauditobjectives.Aclearlydefinedandvalidatedpopulationisimportanttoobtainingreliableand

representativesamplingresults.

ForITaudits,validationproceduresmayincludereviewingdataextractionlogic,systemparameters,orreportfilterstoconfirmthatthepopulationfullyrepresentsthedefinedperiod,scope,andsystemenvironment.

CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING

15

Guidelines

2208.3.6

ApplyStratificationtoOptimizeSamplingDesign

Stratificationcanimprovetheefficiencyandeffectivenessofauditsamplingbydividingalargeor

diversepopulationintosubpopulations(strata)thatsharesimilarcharacteristics.Eachsamplingunit

shouldbelongtoonlyonestratum,ensuringclarityandconsistencyinselection.Stratificationcanallowpractitionerstofocusontestinghigher-riskormorevariableareas,whilereducingsamplesizeand

maintainingrepresentativenessacrossthepopulation.

ExamplesofstratificationinITauditsinclude:

•Groupinguseraccountsbyaccesslevel(e.g.,privileged,standard,serviceaccounts)

•Dividingchangemanagementrecordsbysystemtypeorapplicationcriticality

•Categorizingtransactionsbymonetaryvalue

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论