PROJECT ONINFORMATION SYSTEM AUDIT

SUBMITTED BY: SUBMITTED TO:

INDEX

DEFINITION OF ISA

ISA AUDIT SERVICES

NEED FOR ISA

BENEFITS

IMPORTANCE

TYPES

CONTROLS IN ISA

AUDIT TRAILS

OF INFORMATION SYSTEM AUDIT

The effectiveness of an information system’s controls is evaluated through an

information systems audit.

An audit aims to establish whether information systems are safeguarding corporate

assets, maintaining the integrity of stored and communicated data, supporting

corporate objectives effectively, and operating efficiently.

It is a part of a more general financial audit that verifies an organization’s accounting

records and financial statements. Information systems are designed so that every

financial transaction can be traced.

In other words, an audit trail must exist that can establish where each transaction

originated and how it was processed.

Aside from financial audits, operational audits are used to evaluate the effectiveness

and efficiency of information systems operations, and technological audits verify that

information technologies are appropriately chosen, configured, and implemented. 3

ISA provides the following audit services:

IT Governance - IT governance audits include reviewsof the

organization’s fiduciary responsibility in satisfying the quality of IT

delivery services while aligning with the business objectives and

establishing an adequate system of internal controls.

Information Systems - Information systems audits focus on security

controls of physical and logical security of the server including change

control, administration of server accounts, system logging and

monitoring, incident handling, system backup and disaster recovery.

Control Self-assessments - Control Self-assessments are designed for

department that manages and operates a technology environment.

These self-assessment tools can be used to identify potential areas of

control weakness in the management of the technology environment.4

• Compliance - Compliance audits include University policies and

procedures, Payment Card Industry (PCI), the Health Insurance Portability and

Accountability Act (HIPAA), Family Education Rights and Privacy Act (FERPA) and any

other applicable laws and regulations.

• Integrated Audits - Integrated audits include reviews of the business

operations and their dependency of automated systems to support the

business process.

We consider information technology and financial and operational processes

as mutually dependent for establishing an effective and efficient control

environment. From the technology perspective, the audit focuses on

application controls, administration of user access, application change

control and backup and recovery to assure reliability, integrity and

availability of the data.

5

Need for Audit of Information System

Factors influencing an organization toward controls and audit of

computers and the impact of the information systems audit function

on organizations are depicted here under:

Organization Costs of Data loss : Date is a critical resource of an organization for

its present and future process and its ability to adapt and survive in a changing

environment.

Incorrect Decision Making: Management and operational controls taken by managers

involve detection, investigations and correction of the process.

Costs of Computer Abuse: Unauthorised access to computer systems, malwares,

unauthorized physical access to computer facilities and unauthorized copies of

sensitive data can lead to destruction of assets.

Value of Computer Hardware, Software and Personnel: These are critical

resources of an organization, which has a credible impact on its infrastructure and

business competitiveness.

6

High Costs of Computer Error: In a computerized enterprise

environment where many critical business processes are performed, a

data error during entry or process would cause great damage.

Maintenance of privacy: Today, data collected in a business process

contrains private information about an individual too.

Controlled evolution of computer use: Use of Technology and

reliability of complex computer systems cannot be guaranteed and the

consequences of using unreliable systems can be destructive.

Information systems Auditing: It is the process of attesting

objectives (those of the external auditor) that focus on asset

safeguarding and data integrity, and management objectives.

Cont…

7

Data Integrity Objectives: It is a fundamental attribute of IS

auditing. The importance to maintain integrity of data of an

organization requires all the time.

System Effectiveness objectives: Effectiveness of a system is

evaluated by auditing the characteristics and objective of the system to

meet business and user requirements.

System Efficiency objectives: To optimize the use of various

information system resources along with the impact on its computing

environment.

Asset Safeguarding objectives: The information system assets

(hardware, software, data information etc.) must be protected by a

system of internal controls from unauthorized access.

Cont…

8

9 Benefits

"Systems do not have a 'life cycle.' They may go on forever if kept viable with change. The only thing that has a 'life cycle' is a project which has a beginning for planning, a middle for execution, and an end for review." 

- Bryce's Law

10

Auditing in Information system is increasing day by day

and becoming the focal point of the independent audit, compliance

audit, and operational audits. Through Auditing the Organization get

benefits in many ways, which are as under:

Standardization. 

• Improve business efficiency.

• Improve system and process controls. 

• Plan for contingencies and disaster recovery. 

• Manage information & developing systems. 

• Prepare for the independent audit. 

• Evaluating the effectiveness and efficiency related to the use of

resources. 

• Reduce risk and enhance system security

• Prevent and detect errors as well as fraud. 

Cont…

11

Types

There are three types of information system audits: audit carried

out in support of a financial statements audit, audit to

evaluate compliance to applicable laws, policies and standards

related to IT, and finally an IT audit can also be

a performance (or value-for-money) audit.

The objectives of this audit include finding out if there are any

excesses, inefficiency and wastage in the use and management

of IT systems. This audit is carried out to assure the stakeholders

that the IT system in place is value for the money invested in it.

12

The Importance of Information Systems Audit

Organizations today operate in a dynamic global multi-enterprise

environment with team-oriented collaboration and place very stringent

requirements on the telecommunications network.

Many organizations, no matter their size or scope of operation, have come

to realize the importance of using information technology to stay ahead in

the current global scenario. Companies have invested in information

systems because they recognize the numerous benefits IT can bring to

their operations.

Management should realize the need to ensure IT systems are reliable,

secure and invulnerable to computer attacks.

The importance of information security is to ensure data confidentiality,

integrity and availability.

13 Confidentiality of data means protecting the information from

disclosure to unauthorized parties. Information such as bank

account statements, trade secrets, personal information should be

kept private and confidential. Protecting this information is a

major part of information security.

An information systems audit would therefore ensure that the

organization’s data is confidentially stored, that data integrity is

ensured and data is available at all times for the authorized users.

14

Controls in ISA

While asking to a auditor about the controls, the key highlights is “what are the

key things an auditor needs to consider while evaluating the said controls?”

Various general controls are given as follows:

Operating System Controls

Data management controls

Organizational structure controls

System Development Controls

System Maintenance Controls

Computer Centre Security Controls

Internet & Intranet Controls

Personal Computers Controls

15

Audit Trails

Audit trail controls attempt to ensure that a chronological record of all events

that have occurred in a system is maintained. This record is needed to

answer queries, fulfill statutory requirements, detect the consequences of

error and allow system monitoring and tuning.

Objective of audit trail is to obtain sufficient evidence matter regarding the

reliability and integrity of the application system.

To achieve this, the audit trail should contain enough information to allow

management, the auditor and the user:

i. to recreate processing action;

ii. to verify summary totals and

iii. to trace the sources of intentional and unintentional errors.

16

Objectives:

• Detecting unauthorized access to the system,

• Facilitating the reconstruction of events, and

• Promoting personal accountability

The audit trail should include the following information:

• System information including start up time, stop time, restarts, recovery etc.

• Transaction information including input items which change the database, control totals and rejected items (relevant to database applications).

• Communication information including terminal log-on/off, password use, security violation, network changes and transmission statistics (relevant to transaction processing i.e. TP applications).

17

Detecting Unauthorized Access:

Detecting unauthorized access can occur in real time or after the fact.

The primary objective of real-time detection is to protect the system

from outsiders who are attempting to breach system controls.

When properly designed, they can be used to determine if

unauthorized access was accomplished, or attempted and failed.

18

Reconstructing Events

Audit analysis can be used to reconstruct the steps that led to events such as

system failures, security violations by individuals, or application processing

errors.

Knowledge of the conditions that existed at the time of a system failure can be

used to assign responsibility and to avoid similar situation in the future.

For example, b maintaining a record of all changes to account balances, the

audit trail can be used to reconstruct accounting data files that were corrupted

by a system failure.

19

Personal Accountability:

Audit trails can be used to monitor user activity at the lowest level

of detail

This capability is a preventive control that can be used to

influence behavior.

Individuals are likely to violate an organization’s security policy if

they know that their actions are not recorded in an audit log.

20 Conclusion:

The computer is changing the world. Business operations are

also changing, sometimes very rapidly, because of the fast

continuing improvement of technology.

For the IT auditor, the need for audit, security, and control will

be critical in the areas of IT and will be the challenge of this

millennium.

There are many challenges ahead; everyone must work

together to design, implement, and safeguard the integration

of these technologies in the workplace.