Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Information systems audit: the basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step
Page:

In the early days of computers, many people were suspicious of their ability to replace human beings performing complex tasks. The first business software applications were mostly in the domain of finance and accounting. The numbers from paper statements and receipts were entered into the computer, which would perform calculations and create reports. Computers were audited using sampling techniques. An auditor would collect the original paper statements and receipts, manually perform the calculations used to create each report, and compare the results of the manual calculation with those generated by the computer. In the early days, accountants would often find programming errors, and these were computer audit findings.

However, these exercises also sometimes yielded findings of fraud. Fraud activities ranged from data entry clerks changing check payees to programmers making deliberate rounding errors designed to accumulate cash balances in hidden bank accounts. [Editor's note: For more, see Essential Reading on Fraud.] As auditors recognized repeating patterns of fraud, they recommended a variety of security features designed to automatically prevent, detect, or recover from theft of assets.

As computers became more sophisticated, auditors recognized that they had fewer and fewer findings related to the correctness of calculations and more and more on the side of unauthorized access. Moreover, the checks and balances that were devised to maintain correctness of calculations were implemented as software change control measures. These rely heavily on security to enforce controls over segregation of duties between programming, testing, and deployment staff. This meant that even programming changes relied in some measure for their effectiveness on computer security controls. Nowadays, information systems audit seems almost synonymous with information security control testing.

The Scope of an IS Audit

However, the normal scope of an information systems audit still does cover the entire lifecycle of the technology under scrutiny, including the correctness of computer calculations. The word "scope" is prefaced by "normal" because the scope of an audit is dependent on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may be validating the correctness of the systems calculations, confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, verifying that confidential data is not exposed to unauthorized individuals, and/or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope.

It is sometimes a challenge for auditors representing management interests to map the audit objective onto technology. They first identify business activity that is most likely to yield the best type of evidence to support the audit objective. They identify what application systems and networks are used to handle the information that supports the business activity. For example, an audit may focus on a given IT process, in which case its scope will include the systems used to create input for, to execute, or to control the IT process. An audit focused on a given business area will include the systems necessary to support the business process. An audit that focuses on data privacy will cover technology controls that enforce confidentiality controls on any database, file system, or application server that provides access to personally identifiable data.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Amazon, Amazon.com, ISM, ISO
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: auditing, data security
Latest Blog Posts
Whitepapers
  • The Need for DLP (data leak prevention) now
    When it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? Many organisations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores.
    Learn more »
  • Bend or break: Flexible Policy
    DON’T. PANIC. Aligning business and IT needs has always been a challenge. Finding the right balance between ensuring the safety of sensitive data and enabling the free flow of information is increasingly difficult in today’s evolving regulatory and threat environment. Read on.
    Learn more »
  • OVUM Report: Governance Risk and Compliance-- GRC usage and buying trends in the ANZ markets
    The existence of an established and stable governance risk and compliance strategy is extremely important to public and private sector organisations as they strive to meet an evergrowing range of regulatory demands. Given the current constraints, it is one of the few areas where the vast majority of organisations intend to either maintain or in many cases increase spending. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments