Reviewing Business Processes

D.

When evaluating a business process for auditing, an IS auditor should first review the design and implementation of controls. This is because controls are the mechanisms put in place to manage risk and ensure that objectives are achieved. Therefore, it is essential to assess the effectiveness of controls to determine whether they are properly designed and implemented, and if they are working effectively to manage risk.

Reviewing the evidence that IS-related controls are operating effectively is important, but it comes after the assessment of the design and implementation of controls. The auditor needs to know what controls should be in place and how they should be operating before evaluating whether they are operating effectively.

Assessing the competence of the personnel performing the process is also important, but it is not the first thing that an IS auditor should review. Personnel competence can be assessed in relation to the process and controls, but this should come after reviewing the design and implementation of controls.

Finally, the assignment of responsibility for process management is another important consideration, but it is not the first thing to be reviewed. The auditor needs to understand the controls in place and how they should be operating before assessing whether responsibility for managing the process has been appropriately assigned.

In summary, when evaluating a business process for auditing, an IS auditor should review the design and implementation of controls first, followed by reviewing the evidence that IS-related controls are operating effectively, assessing the competence of personnel, and reviewing the assignment of responsibility for process management.