Control : Policies, procedures, practices and enterprise structure that are designed to provide reasonable assurance that business objectives will be achieved and undesired events are prevented or detected and corrected
1. Personnel : whether or not staffs are trustworthy, if they know what they are doing and if they have the appropriate skills and training to carry out their jobs to a competent standard
2. Segregation of duties : a key control in an information system. Segregation basically means that the stages in the processing of a transaction are split between different people, such that one person cannot process a transaction through from start to finish. The various stages in the transaction cycle are spread between two or more individuals. However, in a computerized system, the auditor should also be concerned with the segregation of duties within the IT department.
Within an IT environment, the staff in the computer department of an enterprise will have a detailed knowledge of the interrelationship between the source of data, how it is processed and distribution and use of output. IT staff may also be in position to alter transaction data or even the financial applications which process the transactions. This give them the knowledge and means to alter data, all they would then require is a motive
3. Authorization procedures : to ensure that transaction system written evidence of individual data entry
authorization
4. Record keeping : the controls over the protection and storage of documents, transaction details and audit trails
6. Management supervision and review : management’s supervision and review helps to deter and detect both errors and fraud
7. Concentration of programs and data : transaction and master file data may be stored in a computer readable form on one computer installation or on a number of
distributed installations. Computer programs such as file editors are likely to be stored in the same location as the data. Therefore, in the absence of appropriate controls
Internal controls used within an organization comprise of the following five interrelated components :
Control environment Risk assessment
Control activities
Two basic functions carried out to examine changes :
1. Changes to evidence collection : changes in the audit rail say the existence of an audit trail is a key financial audit requirement. Without an audit trail, the financial auditor may have extreme difficulty in gathering sufficient, appropriate audit evidence to validate the figures in the client’s acounts
Responsibility for Controls
1. Long – range planning : includes documenting goals and objectives, explaining how strength will be used and how weakness will be compensated for or corrected
The goals and objectives of the plan for use in measuring progress :
Revenue and expense estimates
Time allowance and target dates
2. Long – range planning and IT department : the information
system managers must take systematic and proactive measures to :
Develop and implement appropriate, cost effective internal control
for results oriented management
Asses the adequacy of internal control in programs and operations Separately asses and document internal control over information
systems consistent with the information security policy of the organization
Identify needed improvements
Take corresponding corrective action
Report annually on internal control through management assurance
3. Short – range planning or tactical planning : the functions and activities performed every day are established to meet the long – range goals.
4. Personnel management controls : the involves activities and functions to accomplish the administration of individuals, salary and benefit costs. The control techniques are :
Job descriptions
Salary and benefits budget
Recruiting standards and criteria Job performance evaluations
The audit of an IS environment to evaluate
systems, practices and operation may include one or both of the following :
Assessment of internal controls within the IS
environment to assure validity, reliability, and security information
Assessment of the efficiency and
effectiveness of the IS environment in economic terms
Responsibility of IS auditor :
Sound knowledge of business operations, practices and
compliances requirements
Should possess the requisite professional technical
qualification and certifications
An good understanding of information risks and controls Knowledge of IT strategies, policy and procedure controls
Ability to understand technical and manual controls relating
to business continuity and
Good knowledge of professional standards and best
Function of IS auditor
IT auditors review risks relating to IT systems and processes, some of them are :
Inadequate information security
Inefficient use of corporate resources, or
poor governance
Ineffective IT strategies, policies and
practices
Categories of IS audits
1. System and Applications
2. Information Processing Facilities 3. Systems Development
4. Management of IT and Enterprise Architecture
Scoping and pre – audit survey : the auditors
Planning and preparation : during which the scope is
broken down into greater levels of detail, usually involving the generation of an audit work plan or risk control matrix
Fieldwork : gathering evidence by interviewing staff and
managers, reviewing documents, printouts and data, observing processes, etc
Analysis : this steps involves desperately sorting out,
reviewing and trying to make sense of all that evidence gathered earlier. SWOT and PEST techniques can be used for analysis
Reporting : reporting to the management is done after
analysis of data gathered and analysis
Closure : closure involves preparing notes for future audits
Audit Standards
IS auditors needs guidance on how :
IS should be assessed to plan their audit
effectively
To focus their effort on high risk areas To assess the severity of any errors or
Standards from The institute of Chartered
Accounts of India is AASs, that can be adapted for the IS Audits :
1. Basic principles governing audit
2. Objective and scope the audit of financial statements
3. Documentation
5. Audit evidence
6. Risk assessment and internal controls
7. Relying upon the work of an internal auditor
8. Audit planning
9. Using the work of an expert
10.Using the work of another auditor
11.Representations by management
12.Responsibility of joint auditors
13.Audit materiality
14.Analytical procedures
15.Audit sampling
16.Going concern
18. Audit of accounting estimates
19. Subsequent Events
20.Knowledge of business
21.Consideration of Laws and regulations in and audit of financial statements
22. initial engagements opening balances
23.Related parties
24.Audit considerations relating to using service organizations
25.Comparatives
27.Communication of audit matters with those charged with governance
28.The auditor’s report on financial statements
29.Auditing in a computer information system environment
30.External confirmations
31.Engagements to compile financial information
32.Engagement to perform agreed upon
Other standards came from several well known organizations :
1. ISACA :
1. IS auditing standards
2. IS auditing standards
3. IS auditing guidelines
2. ISO 27001 (Information security
3. IIA (The institute of Internal Auditors) : issued GTAG (Global Technology Audit Guide)
4. ITIL (IT Infrastructure Library)
1. Find out about :
1. IS auditing standards
2. IS auditing standards
3. IS auditing guidelines
4. ISO 27001
5. GTAG
6. ITIL
7. COBIT
1. System Development methodology 2. Levels of System testing
3. ERP (Enterprise Resource Planning) 4. Management Information System