project on information system audit submitted by:submitted to:
TRANSCRIPT
![Page 1: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/1.jpg)
PROJECT ONINFORMATION SYSTEM AUDIT
SUBMITTED BY: SUBMITTED TO:
![Page 2: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/2.jpg)
INDEX
DEFINITION OF ISA
ISA AUDIT SERVICES
NEED FOR ISA
BENEFITS
IMPORTANCE
TYPES
CONTROLS IN ISA
AUDIT TRAILS
![Page 3: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/3.jpg)
OF INFORMATION SYSTEM AUDIT
The effectiveness of an information system’s controls is evaluated through an
information systems audit.
An audit aims to establish whether information systems are safeguarding corporate
assets, maintaining the integrity of stored and communicated data, supporting
corporate objectives effectively, and operating efficiently.
It is a part of a more general financial audit that verifies an organization’s accounting
records and financial statements. Information systems are designed so that every
financial transaction can be traced.
In other words, an audit trail must exist that can establish where each transaction
originated and how it was processed.
Aside from financial audits, operational audits are used to evaluate the effectiveness
and efficiency of information systems operations, and technological audits verify that
information technologies are appropriately chosen, configured, and implemented. 3
![Page 4: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/4.jpg)
ISA provides the following audit services:
IT Governance - IT governance audits include reviewsof the
organization’s fiduciary responsibility in satisfying the quality of IT
delivery services while aligning with the business objectives and
establishing an adequate system of internal controls.
Information Systems - Information systems audits focus on security
controls of physical and logical security of the server including change
control, administration of server accounts, system logging and
monitoring, incident handling, system backup and disaster recovery.
Control Self-assessments - Control Self-assessments are designed for
department that manages and operates a technology environment.
These self-assessment tools can be used to identify potential areas of
control weakness in the management of the technology environment.4
![Page 5: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/5.jpg)
• Compliance - Compliance audits include University policies and
procedures, Payment Card Industry (PCI), the Health Insurance Portability and
Accountability Act (HIPAA), Family Education Rights and Privacy Act (FERPA) and any
other applicable laws and regulations.
• Integrated Audits - Integrated audits include reviews of the business
operations and their dependency of automated systems to support the
business process.
We consider information technology and financial and operational processes
as mutually dependent for establishing an effective and efficient control
environment. From the technology perspective, the audit focuses on
application controls, administration of user access, application change
control and backup and recovery to assure reliability, integrity and
availability of the data.
5
![Page 6: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/6.jpg)
Need for Audit of Information System
Factors influencing an organization toward controls and audit of
computers and the impact of the information systems audit function
on organizations are depicted here under:
Organization Costs of Data loss : Date is a critical resource of an organization for
its present and future process and its ability to adapt and survive in a changing
environment.
Incorrect Decision Making: Management and operational controls taken by managers
involve detection, investigations and correction of the process.
Costs of Computer Abuse: Unauthorised access to computer systems, malwares,
unauthorized physical access to computer facilities and unauthorized copies of
sensitive data can lead to destruction of assets.
Value of Computer Hardware, Software and Personnel: These are critical
resources of an organization, which has a credible impact on its infrastructure and
business competitiveness.
6
![Page 7: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/7.jpg)
High Costs of Computer Error: In a computerized enterprise
environment where many critical business processes are performed, a
data error during entry or process would cause great damage.
Maintenance of privacy: Today, data collected in a business process
contrains private information about an individual too.
Controlled evolution of computer use: Use of Technology and
reliability of complex computer systems cannot be guaranteed and the
consequences of using unreliable systems can be destructive.
Information systems Auditing: It is the process of attesting
objectives (those of the external auditor) that focus on asset
safeguarding and data integrity, and management objectives.
Cont…
7
![Page 8: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/8.jpg)
Data Integrity Objectives: It is a fundamental attribute of IS
auditing. The importance to maintain integrity of data of an
organization requires all the time.
System Effectiveness objectives: Effectiveness of a system is
evaluated by auditing the characteristics and objective of the system to
meet business and user requirements.
System Efficiency objectives: To optimize the use of various
information system resources along with the impact on its computing
environment.
Asset Safeguarding objectives: The information system assets
(hardware, software, data information etc.) must be protected by a
system of internal controls from unauthorized access.
Cont…
8
![Page 9: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/9.jpg)
9 Benefits
"Systems do not have a 'life cycle.' They may go on forever if kept viable with change. The only thing that has a 'life cycle' is a project which has a beginning for planning, a middle for execution, and an end for review."
- Bryce's Law
![Page 10: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/10.jpg)
10
Auditing in Information system is increasing day by day
and becoming the focal point of the independent audit, compliance
audit, and operational audits. Through Auditing the Organization get
benefits in many ways, which are as under:
Standardization.
• Improve business efficiency.
• Improve system and process controls.
• Plan for contingencies and disaster recovery.
• Manage information & developing systems.
• Prepare for the independent audit.
• Evaluating the effectiveness and efficiency related to the use of
resources.
• Reduce risk and enhance system security
• Prevent and detect errors as well as fraud.
Cont…
![Page 11: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/11.jpg)
11
Types
There are three types of information system audits: audit carried
out in support of a financial statements audit, audit to
evaluate compliance to applicable laws, policies and standards
related to IT, and finally an IT audit can also be
a performance (or value-for-money) audit.
The objectives of this audit include finding out if there are any
excesses, inefficiency and wastage in the use and management
of IT systems. This audit is carried out to assure the stakeholders
that the IT system in place is value for the money invested in it.
![Page 12: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/12.jpg)
12
The Importance of Information Systems Audit
Organizations today operate in a dynamic global multi-enterprise
environment with team-oriented collaboration and place very stringent
requirements on the telecommunications network.
Many organizations, no matter their size or scope of operation, have come
to realize the importance of using information technology to stay ahead in
the current global scenario. Companies have invested in information
systems because they recognize the numerous benefits IT can bring to
their operations.
Management should realize the need to ensure IT systems are reliable,
secure and invulnerable to computer attacks.
The importance of information security is to ensure data confidentiality,
integrity and availability.
![Page 13: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/13.jpg)
13 Confidentiality of data means protecting the information from
disclosure to unauthorized parties. Information such as bank
account statements, trade secrets, personal information should be
kept private and confidential. Protecting this information is a
major part of information security.
An information systems audit would therefore ensure that the
organization’s data is confidentially stored, that data integrity is
ensured and data is available at all times for the authorized users.
![Page 14: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/14.jpg)
14
Controls in ISA
While asking to a auditor about the controls, the key highlights is “what are the
key things an auditor needs to consider while evaluating the said controls?”
Various general controls are given as follows:
Operating System Controls
Data management controls
Organizational structure controls
System Development Controls
System Maintenance Controls
Computer Centre Security Controls
Internet & Intranet Controls
Personal Computers Controls
![Page 15: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/15.jpg)
15
Audit Trails
Audit trail controls attempt to ensure that a chronological record of all events
that have occurred in a system is maintained. This record is needed to
answer queries, fulfill statutory requirements, detect the consequences of
error and allow system monitoring and tuning.
Objective of audit trail is to obtain sufficient evidence matter regarding the
reliability and integrity of the application system.
To achieve this, the audit trail should contain enough information to allow
management, the auditor and the user:
i. to recreate processing action;
ii. to verify summary totals and
iii. to trace the sources of intentional and unintentional errors.
![Page 16: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/16.jpg)
16
Objectives:
• Detecting unauthorized access to the system,
• Facilitating the reconstruction of events, and
• Promoting personal accountability
The audit trail should include the following information:
• System information including start up time, stop time, restarts, recovery etc.
• Transaction information including input items which change the database, control totals and rejected items (relevant to database applications).
• Communication information including terminal log-on/off, password use, security violation, network changes and transmission statistics (relevant to transaction processing i.e. TP applications).
![Page 17: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/17.jpg)
17
Detecting Unauthorized Access:
Detecting unauthorized access can occur in real time or after the fact.
The primary objective of real-time detection is to protect the system
from outsiders who are attempting to breach system controls.
When properly designed, they can be used to determine if
unauthorized access was accomplished, or attempted and failed.
![Page 18: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/18.jpg)
18
Reconstructing Events
Audit analysis can be used to reconstruct the steps that led to events such as
system failures, security violations by individuals, or application processing
errors.
Knowledge of the conditions that existed at the time of a system failure can be
used to assign responsibility and to avoid similar situation in the future.
For example, b maintaining a record of all changes to account balances, the
audit trail can be used to reconstruct accounting data files that were corrupted
by a system failure.
![Page 19: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/19.jpg)
19
Personal Accountability:
Audit trails can be used to monitor user activity at the lowest level
of detail
This capability is a preventive control that can be used to
influence behavior.
Individuals are likely to violate an organization’s security policy if
they know that their actions are not recorded in an audit log.
![Page 20: PROJECT ON INFORMATION SYSTEM AUDIT SUBMITTED BY:SUBMITTED TO:](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d845503460f94a6b2d3/html5/thumbnails/20.jpg)
20 Conclusion:
The computer is changing the world. Business operations are
also changing, sometimes very rapidly, because of the fast
continuing improvement of technology.
For the IT auditor, the need for audit, security, and control will
be critical in the areas of IT and will be the challenge of this
millennium.
There are many challenges ahead; everyone must work
together to design, implement, and safeguard the integration
of these technologies in the workplace.