Control : Policies, procedures, practices and enterprise structure that are designed to provide reasonable assurance that business objectives will be achieved and undesired events are prevented or detected and corrected

1. Personnel : whether or not staffs are trustworthy, if they know what they are doing and if they have the appropriate skills and training to carry out their jobs to a competent standard

2. Segregation of duties : a key control in an information system. Segregation basically means that the stages in the processing of a transaction are split between different people, such that one person cannot process a transaction through from start to finish. The various stages in the transaction cycle are spread between two or more individuals. However, in a computerized system, the auditor should also be concerned with the segregation of duties within the IT department.

Within an IT environment, the staff in the computer department of an enterprise will have a detailed knowledge of the interrelationship between the source of data, how it is processed and distribution and use of output. IT staff may also be in position to alter transaction data or even the financial applications which process the transactions. This give them the knowledge and means to alter data, all they would then require is a motive

3. Authorization procedures : to ensure that transaction system written evidence of individual data entry

authorization

4. Record keeping : the controls over the protection and storage of documents, transaction details and audit trails

6. Management supervision and review : management’s supervision and review helps to deter and detect both errors and fraud

7. Concentration of programs and data : transaction and master file data may be stored in a computer readable form on one computer installation or on a number of

distributed installations. Computer programs such as file editors are likely to be stored in the same location as the data. Therefore, in the absence of appropriate controls

Internal controls used within an organization comprise of the following five interrelated components :

 _{Control environment}  _{Risk assessment}

 _{Control activities}

Two basic functions carried out to examine changes :

1. Changes to evidence collection : changes in the audit rail say the existence of an audit trail is a key financial audit requirement. Without an audit trail, the financial auditor may have extreme difficulty in gathering sufficient, appropriate audit evidence to validate the figures in the client’s acounts

Responsibility for Controls

1. Long – range planning : includes documenting goals and objectives, explaining how strength will be used and how weakness will be compensated for or corrected

The goals and objectives of the plan for use in measuring progress :

 _{Revenue and expense estimates}

 _{Time allowance and target dates}

2. Long – range planning and IT department : the information

system managers must take systematic and proactive measures to :

 _{Develop and implement appropriate, cost effective internal control}

for results oriented management

 _{Asses the adequacy of internal control in programs and operations}  _{Separately asses and document internal control over information}

systems consistent with the information security policy of the organization

 _{Identify needed improvements}

 _{Take corresponding corrective action}

 _{Report annually on internal control through management assurance}

3. Short – range planning or tactical planning : the functions and activities performed every day are established to meet the long – range goals.

4. Personnel management controls : the involves activities and functions to accomplish the administration of individuals, salary and benefit costs. The control techniques are :

 _{Job descriptions}

 _{Salary and benefits budget}

 _{Recruiting standards and criteria}  _{Job performance evaluations}

The audit of an IS environment to evaluate

systems, practices and operation may include one or both of the following :

 _{Assessment of internal controls within the IS}

environment to assure validity, reliability, and security information

 _{Assessment of the efficiency and}

effectiveness of the IS environment in economic terms

Responsibility of IS auditor :

 _{Sound knowledge of business operations, practices and}

compliances requirements

 _{Should possess the requisite professional technical}

qualification and certifications

 _{An good understanding of information risks and controls}  _{Knowledge of IT strategies, policy and procedure controls}

 _{Ability to understand technical and manual controls relating}

to business continuity and

 _{Good knowledge of professional standards and best}

Function of IS auditor

IT auditors review risks relating to IT systems and processes, some of them are :

 _{Inadequate information security}

 _{Inefficient use of corporate resources, or}

poor governance

 _{Ineffective IT strategies, policies and}

practices

Categories of IS audits

1. System and Applications

2. Information Processing Facilities 3. Systems Development

4. Management of IT and Enterprise Architecture

 _{Scoping and pre – audit survey : the auditors}

 _{Planning and preparation : during which the scope is}

broken down into greater levels of detail, usually involving the generation of an audit work plan or risk control matrix

 _{Fieldwork : gathering evidence by interviewing staff and}

managers, reviewing documents, printouts and data, observing processes, etc

 _{Analysis : this steps involves desperately sorting out,}

reviewing and trying to make sense of all that evidence gathered earlier. SWOT and PEST techniques can be used for analysis

 _{Reporting : reporting to the management is done after}

analysis of data gathered and analysis

 _{Closure : closure involves preparing notes for future audits}

Audit Standards

IS auditors needs guidance on how :

 _{IS should be assessed to plan their audit}

effectively

 _{To focus their effort on high risk areas}  _{To assess the severity of any errors or}

Standards from The institute of Chartered

Accounts of India is AASs, that can be adapted for the IS Audits :

1. Basic principles governing audit

2. Objective and scope the audit of financial statements

3. Documentation

5. Audit evidence

6. Risk assessment and internal controls

7. Relying upon the work of an internal auditor

8. Audit planning

9. Using the work of an expert

10.Using the work of another auditor

11.Representations by management

12.Responsibility of joint auditors

13.Audit materiality

14.Analytical procedures

15.Audit sampling

16.Going concern

18. Audit of accounting estimates

19. Subsequent Events

20.Knowledge of business

21.Consideration of Laws and regulations in and audit of financial statements

22. initial engagements opening balances

23.Related parties

24.Audit considerations relating to using service organizations

25.Comparatives

27.Communication of audit matters with those charged with governance

28.The auditor’s report on financial statements

29.Auditing in a computer information system environment

30.External confirmations

31.Engagements to compile financial information

32.Engagement to perform agreed upon

Other standards came from several well known organizations :

1. ISACA :

1. IS auditing standards

2. IS auditing standards

3. IS auditing guidelines

2. ISO 27001 (Information security

3. IIA (The institute of Internal Auditors) : issued GTAG (Global Technology Audit Guide)

4. ITIL (IT Infrastructure Library)

1. Find out about :

1. IS auditing standards

2. IS auditing standards

3. IS auditing guidelines

4. ISO 27001

5. GTAG

6. ITIL

7. COBIT

1. System Development methodology 2. Levels of System testing

3. ERP (Enterprise Resource Planning) 4. Management Information System