Vous êtes sur la page 1sur 22

Chapter 1:

Information Systems Auditing, concept, need, objectives, standards, steps, Performance,


tools and techniques, methodologies etc.
What is ISA?

An information technology audit, or information systems audit, is an


examination of the management controls within an Information technology (IT)
infrastructure. The evaluation of obtained evidence determines if the information
systems

are

safeguarding

assets,

maintaining

data

integrity,

and

operating

effectively to achieve the organization's goals or objectives. These reviews may be


performed in conjunction with a financial statement audit, internal audit, or other
form of attestation engagement.

IT audits are also known as "automated data processing (ADP) audits" and
"computer audits". They were formerly called "electronic data processing (EDP)
audits".

Need:

The use of computers and computer based information systems have pervaded deep
and wide in every modern day organization. An organization must exercise control
over these computer based information systems because the cost of errors and
irregularities that may arise in these systems can be high and can even challenge the
very existence of the organization.

An organizations ability to survive can be severely undermined through corruption or


destruction of its database; decision making errors caused by poor-quality
information systems; losses incurred through computer abuses; loss of computer
assets and their control on how the computers are used within the organization.
Therefore managements across the world have deployed specialized auditors to audit
their information systems to find out gaps between declared policies and actual use
and shortcomings in the information system design and usage.

Information Systems Audit is the process of collecting and evaluating evidence to


determine whether a computer system has been designed to maintain data integrity,
safeguard assets, allows organizational goals to be achieved effectively and uses the
resources efficiently.

The IS Auditor should see that not only adequate internal controls exist in the
system but they also wok effectively to ensure results and achieve objectives.
Internal controls should be commensurate with the risk assessed so as to reduce the
impact of identified risks to acceptable levels. IT Auditors need to evaluate the
adequacy of internal controls in computer systems to mitigate the risk of loss due to
errors, fraud and other acts and disasters or incidents that cause the system to be
unavailable

Concept:

A security audit is a systematic evaluation of the security of a company's information


system by measuring how well it conforms to a set of established criteria. A thorough
audit typically assesses the security of the system's physical configuration and
environment, software, information handling processes, and user practices. Security
audits are often used to determine regulatory compliance, in the wake of legislation
(such as HIPAA, the Sarbanes-Oxley Act, and the California

According to Ira Winkler, president of the Internet Security Advisors Group, security
audits, vulnerability assessments, and penetration testing are the three main types
of security diagnostics. Each of the three takes a different approach and may be best
suited for a particular purpose. Security audits measure an information system's
performance against a list of criteria. A vulnerability assessment, on the other hand,
involves a comprehensive study of an entire information system, seeking potential
security weaknesses. Penetration testing is a covert operation, in which a security
expert tries a number of attacks to ascertain whether or not a system could
withstand the same types of attacks from a malicious hacker. In penetration testing,
the feigned attack can include anything a real attacker might try, such as social
engineering.

Meaning of Information Security

The protection of data against unauthorized access. Programs and data can be
secured by issuing passwords and digital certificates to authorized users. However,
passwords only validate that a correct number has been entered, not that it is the
actual person. Digital certificates and biometric techniques (fingerprints, eyes, voice,

etc.) provide a more secure method. After a user has been authenticated, sensitive
data can be encrypted to prevent eavesdropping.

Auditing Standards for auditing Information Systems

The specialized nature of Information Systems auditing and the professional skills
and credibility necessary to perform such audits, require standards that would apply

specifically to IS auditing.
Standards, procedures and guidelines have been issued by various institutions, which

discuss the way the auditor should go about auditing Information Systems.
In line with such developments Supreme Audit Institution of India has declared a
mission to adopt and evolve standards, guidelines and best practices for auditing in a
computerized environment. This will lend credibility and clarity in conducting audit in

computerized environment.
The framework for the IS Auditing Standards provides multiple levels of guidance.
Standards provide a framework for all audits and auditors and define the mandatory
requirements of the audit. They are broad statement of auditors responsibilities and
ensure that auditors have the competence, integrity, objectivity and independence in
planning, conducting and reporting on their work. Guidelines provide guidance in
applying IS Auditing Standards. The IS auditor should consider them in determining
how to achieve implementation of the standards, use professional judgment in their
application and be prepared to justify any departure. Procedures provide examples
of procedures an IS auditor might follow in an audit engagement. It provides
information on how to meet the standards when performing IS auditing work, but do

not set requirements.


The objective of the IS Auditing Guidelines and Procedures is to provide further
information on how to comply with the IS Auditing Standards.

While conducting Information System Audit the auditor should consider the issues of
confidentiality, integrity and availability (CIA) and his work should be guided by
international or respective national standards. These may include INTOSAI Auditing
Standards, International Federation of Accountants (IFAC) Auditing Standards,
International standards of professional audit institutions such as Information
Systems Audit and Control Association (ISACA) and Institute of Internal auditors
(IIA) and national auditing standards of SAI member countries.

Information Systems Audit and Control Association (ISACA) has laid down the
following generic requirements for IS audit which are applicable to all categories of
IS audits

1. The responsibility, authority and accountability of the information systems


audit function are to be appropriately documented in an audit.
2. The information systems auditor is to be independent of the auditee in attitude
and appearance.
3. The information systems auditor is to adhere to the Code of Professional
Ethics. Due professional care and observance of applicable professional
auditing standards are to be exercised.
4. The information systems auditor is to be technically competent, having the
skills and knowledge necessary to perform the auditor's work and has to
maintain technical competence through continuing professional education.
5. The information systems auditor is to plan his work to address the audit
objectives.
6. Information systems audit staff is to be appropriately supervised so as to
ensure that audit objectives and applicable professional auditing standards are
met. The audit findings and conclusions are to be supported by appropriate
analysis and interpretation of sufficient, reliable, relevant and useful
evidence.
7. The information systems auditor is to provide a report, in an appropriate form,
to intended recipients upon the completion of audit work.
8. The information systems auditor follow-up action timely taken on previous
relevant findings.

The COBIT framework gives an IS Auditor an understanding of business objectives,


best practices and recommends a commonly understood and well-respected standard
reference.

It

includes

Control

Objectives,

Control

Practices

and

Audit

Guidelines, which provides guidance for each control area on how to obtain an
understanding, evaluate each control, assess compliance, and substantiate the risk
of controls not being met.

Information Systems Security and Audit

Organizations in all sectors of the economy depend upon information systems and
communications networks, and share common requirements to protect sensitive

information. Organizations and professional bodies work towards establishing secure


information technology systems for protecting the integrity, confidentiality, reliability,
and availability of information.

Information Systems Security Audit is an independent review and examination of


system records, activities and related documents to determine the adequacy of
system controls, ensure compliance with established security policy and approved
operational procedures, detect breaches in security so as to verify whether data
integrity is maintained, assets are safeguarded, organizational goals are achieved
effectively and resources are used efficiently.

Security audit is a systematic, measurable technical assessment of how security


policies are built into the information systems.

Professionalism

and

credibility

play

very

important

role

in

the

auditors

performance of Information Systems Security Audit. He should have full knowledge


of the organization and its various functions, at times with considerable inside
information.

The three fundamental features of an Information System that gets tested in course
of security audit are assessment of confidentiality, availability and integrity of the
information systems assets. The principle screening variables are various conceivable
physical and logical security threats.

The purpose of any audit will be essentially to examine three basic compliances in
terms of Confidentiality, Integrity and Availability (CIA)

Confidentiality

concerns

the

protection

of

sensitive

information

from

unauthorized disclosure. Keeping in view the level of sensitivity of the data the
stringency of controls over its access should be determined.

Integrity refers to the accuracy and completeness of the information as well as


to its validity in accordance with business values and expectations. It is an
important audit objective as it provides assurance to the management as well as
the users that the information can be relied and trusted upon. It also includes
reliability, which refers to degree of consistency of the system to function.

Availability relates to information and information systems being available and


operational when they are needed. It also concerns safeguarding of necessary
resources and associated capabilities. This implies that the organization has

measures in place to ensure business continuity and timely recovery can be


made in case of disasters.

Importance of Security Audit

An organization is always subjected to a set of risks in every business and


project initiative it undertakes. These include Business Risk, Strategic Risk,
Operational Risk and Risk of legal non-compliance. The information systems,
while they play significant role in the strategic initiatives of organizations (be
it an ERP in a large auto company or be it an e-governance initiative) are also
subjected to these risks.

Threats can be internal or external to the organization on one hand and a


result of some slippage or deliberate intrusion on the other. Thus besides
safeguarding

the

information

system,

Security

Audit

protects

the

organizations overall interests.


Standardizing Security Audit:

Institutions and professional bodies all over the world have issued various
guidelines and best practices regarding Information System Security from
time to time.

British Standards (BS 7799) provides guidelines to organizations to


identify, manage and minimize the range of threats to which information is
regularly

subjected.

These

include

internal

threats,

external

threats,

accidents, malicious actions and industrial sabotage.

International Organization for

Standardization (ISO/IEC 17799)

guidelines state that the management should set a clear policy direction and
demonstrate support for, and commitment to, information security through
the issue and maintenance of an information security policy across the
organization.

Center for Internet Security (CIS) has a mission to help organizations


reduce the risk of business and e-commerce disruptions resulting from
inadequate technical security controls. CIS benchmarks support high level
standards that deal with the "Why, Who, When, and Where" aspects of IT
security by detailing "How" to secure an ever widening array of workstations,

servers, network devices, and software applications in terms of technology


specific controls.

Generally Accepted System Security Principles (GASSP) (which is


sponsored by the International Information Security Foundation (I 2SF)
promotes good practice and provide the authoritative point of reference and
legal reference for information security principles, practices and opinions.

National Institute of Standards and Technology (NIST) has published


guidelines to provide a standardized approach for assessing the effectiveness
of the management, operational, and technical security controls in an
information system and for determining the business or mission risk to an
agency's operations and assets brought about by the operation of that
system. Under the Computer Security Act of 1987 (P.L. 100-235), the
Computer Security Division of the Information Technology Laboratory (ITL)
develops computer security prototypes, tests, standards, and procedures to
protect sensitive information from unauthorized access or modification. Focus
areas

include

cryptographic

technology

and

applications,

advanced

authentication, public key infrastructure, internetworking security, criteria and


assurance, and security management and support. The NIST IPsec Project
is concerned with providing authentication, integrity and confidentiality
security services at the Internet (IP) Layer, for both the current IP protocol
(IPv4) and the next generation IP protocol (IPv6).

Commonly

Accepted

Security

Practices

&

Recommendations

(CASPR) provides advice about how to use technologies, products, and


methodologies to secure the IT environment, through papers written and
vetted by a community of experts.

Bureau of Indian Standards (BIS) describes Information Security Policy as


one of the main responsibilities of the management of an organization and
thus is a pointer to the roles and functions of the auditor. It talks about
identifying all business critical information and evaluating their existing
classification, risk assessment, reviewing the security controls to mitigate the
risks and suggesting improvements in the Information Security Management
System.

Elements of IS Audit
An information system is not just a computer. Today's information systems are
complex and have many components that piece together to make a business
solution. Assurances about an information system can be obtained only if all the
components are evaluated and secured. The proverbial weakest link is the total
strength of the chain. The major elements of IS audit can be broadly classified:
1. Physical and environmental reviewThis includes physical security, power
supply, air conditioning, humidity control and other environmental factors.
2. System administration reviewThis includes security review of the operating
systems, database management systems, all system administration procedures and
compliance.
3. Application software reviewThe business application could be payroll, invoicing,
a web-based customer order processing system or an enterprise resource planning
system that actually runs the business. Review of such application software includes
access control and authorizations, validations, error and exception handling, business
process flows within the application software and complementary manual controls
and procedures. Additionally, a review of the system development lifecycle should be
completed.
4. Network security reviewReview of internal and external connections to the
system, perimeter security, firewall review, router access control lists, port scanning
and intrusion detection are some typical areas of coverage.
5. Business continuity reviewThis includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and documented
and tested disaster recovery/business continuity plan.
6. Data integrity reviewThe purpose of this is scrutiny of live data to verify
adequacy of controls and impact of weaknesses, as noticed from any of the above

reviews. Such substantive testing can be done using generalized audit software (e.g.,
computer assisted audit techniques).
All these elements need to be addressed to present to management a clear assessment of
the system. For example, application software may be well designed and implemented with
all the security features, but the default super-user password in the operating system used
on the server may not have been changed, thereby allowing someone to access the data
files directly. Such a situation negates whatever security is built into the application.
Likewise, firewalls and technical system security may have been implemented very well, but
the role definitions and access controls within the application software may have been so
poorly designed and implemented that by using their user IDs, employees may get to see
critical and sensitive information far beyond their roles.
It is important to understand that each audit may consist of these elements in varying
measures; some audits may scrutinize only one of these elements or drop some of these
elements. While the fact remains that it is necessary to do all of them, it is not mandatory
to do all of them in one assignment. The skill sets required for each of these are different.
The results of each audit need to be seen in relation to the other. This will enable the auditor
and management to get the total view of the issues and problems. This overview is critical.

Computer security auditors perform their work though personal interviews,


vulnerability scans, examination of operating system settings, analyses of
network shares, and historical data. They are concerned primarily with how
security policies - the foundation of any effective organizational security strategy
- are actually used. There are a number of key questions that security audits
should attempt to answer:

Are passwords difficult to crack?

Are there access control lists (ACLs) in place on network devices to control who has
access to shared data?

Are there audit logs to record who accesses data?

Are the audit logs reviewed?

Are the security settings for operating systems in accordance with accepted industry
security practices?

Have all unnecessary applications and computer services been eliminated for each
system?

Are these operating systems and commercial applications patched to current levels?

How is backup media stored? Who has access to it? Is it up-to-date?

Is there a disaster recovery plan? Have the participants and stakeholders ever
rehearsed the disaster recovery plan?

Are there adequate cryptographic tools in place to govern data encryption, and have
these tools been properly configured?

Have custom-built applications been written with security in mind?

How have these custom applications been tested for security flaws?

How are configuration and code changes documented at every level? How are these
records reviewed and who conducts the review?

These are just a few of the kind of questions that can and should be assessed in a security
audit. In answering these questions honestly and rigorously, an organization can realistically
assess how secure its vital information is.
Security Policy Defined:

A security audit is essentially an assessment of how effectively the organization's


security policy is being implemented. Of course, this assumes that the
organization has a security policiy in place which, unfortunately, is not always the
case. Even today, it is possible to find a number of organizations where a written
security policy does not exist.

Security policies are a means of standardizing security practices by having them


codified (in writing) and agreed to by employees who read them and sign off on

them.

Natural tensions frequently exist between workplace culture and security policy.
Even with the best of intentions, employees often choose convenience over
security. For example, users may know that they should choose difficult-to-guess
passwords, but they may also want those passwords to be close at hand. So
every fledgling auditor knows to check for sticky notes on the monitor and to pick
up the keyboard and look under it for passwords. IT staff may know that every
local administrator account should have a password; yet, in the haste to build a
system, they may just bypass that step, intending to set the password later, and
therefore place an insecure system on the network.

The security audit should seek to measure security policy compliance and
recommend solutions to deficiencies in compliance. The policy should also be
subject to scrutiny. Is it a living document, accurately reflecting how the
organization protects IT assets on a daily basis? Does the policy reflect industry
standards for the type of IT resources in use throughout the organization?

Pre-Audit Homework

Before the computer security auditors even begin an organizational audit, there's a
fair amount of homework that should be done. Auditors need to know what they're
auditing. In addition to reviewing the results of any previous audits that may have
been conducted, there may be several tools they will use or refer to before. The first
is a site survey. This is a technical description of the system's hosts. It also includes
management and user demographics. This information may be out of date, but it can
still provide a general framework. Security questionnaires may be used as to follow
up the site survey. These questionnaires are, by nature, subjective measurements,
but they are useful because they provide a framework of agreed-upon security
practices. The respondents are usually asked to rate the controls used to govern
access to IT assets. These controls include: management controls,
authentication/access controls, physical security, outsider access to systems, system
administration controls and procedures, connections to external networks, remote
access, incident response, and contingency planning.

Site surveys and security questionnaires should be clearly written with quantifiable

responses of specific requirements. They should offer a numerical scale from least
desired (does not meet requirements) to most desired (meets requirements and has
supporting documentation). Both should include electronic commerce considerations
if appropriate to the client organization. For instance, credit card companies have
compliance templates listing specific security considerations for their products. These
measure network, operating system, and application security as well as physical
security.

Auditors, especially internal auditors, should review previous security incidents at


the client organization to gain an idea of historical weak points in the organization's
security profile. It should also examine current conditions to ensure that repeat
incidents cannot occur.

If auditors are asked to examine a system that allows Internet connections, they
may also want to know about IDS/Firewall log trends. Do these logs show any trends
in attempts to exploit weaknesses? Could there be an underlying reason (such as
faulty firewall rules) that such attempts are taking place on an ongoing basis. How
can this be tested?

Because of the breadth of data to be examined, auditors will want to work with the
client to determine the scope of the audit. Factors to consider include: the site
business plan, the type of data being protected and the value/importance of that
data to the client organization, previous security incidents, the time available to
complete the audit and the talent/expertise of the auditors. Good auditors will want
to have the scope of the audit clearly defined, understood and agreed to by the
client.

Then, the auditors will develop audit plan. This plan will cover how will audit be
executed, with which personnel, and using what tools. They will then discuss the
plan with the requesting agency. Next they discuss the objective of the audit with
site personnel along with some of the logistical details, such as the time of the audit,
which site staff may be involved and how the audit will affect daily operations. Next,
the auditors should ensure audit objectives are understood.

At the Audit Site

When the auditors arrive at the site, their aim is to not to adversely affect business
transactions during the audit. They should conduct an entry briefing where they
again outline the scope of the audit and what they are going to accomplish. Any
questions that site management may have should be addressed and last minute
requests considered within the framework of the original audit proposal.

The auditors should be thorough and fair, applying consistent standards and
procedures throughout the audit. During the audit, they will collect data about the
physical security of computer assets and perform interviews of site staff. They may
perform network vulnerability assessments, operating system and application
security assessments, access controls assessment, and other evaluations.

Throughout this process, the auditors should follow their checklists, but also keep
eyes open for unexpected problems. Here they get their noses off the checklist and
start to sniff the air.

They should look beyond any preconceived notions or expectations of what they
should find and see what is actually there.

Conduct Outgoing Briefing

After the audit is complete, the auditors will conduct an outgoing briefing, ensuring
that management is aware of any problems that need immediate correction.

Questions from management are answered in a general manner so as not to create a


false impression of the audit's outcome. It should be stressed that the auditors may
not be in a position to provide definitive answers at this point in time. Any final
answers will be provided following the final analysis of the audit results.

Once back in the home office, the auditors will begin to comb their checklists and
analyze data discovered through vulnerability assessment tools. There should be an
initial meeting to help focus the outcome of the audit results. During this meeting,
the auditors can identify problem areas and possible solutions.

The audit report can be prepared in a number of formats, but auditors should keep
the report simple and direct, containing concrete findings with measurable ways to

correct the discovered deficiencies.

The audit report can follow a general format of executive summary, detailed findings
and supporting data, such as scan reports as report appendices.

It's important to realize that strengths as well as deficiencies can be addressed in


the executive summary to help give an overall balance to the audit report.

Next, the auditors can provide detailed report based on audit checklists. The audit
findings should be organized in a simple and logical manner on one-page worksheets
for each discovered problem. This worksheet outlines the problem, its implications,
and how it can be corrected. Space should be left on the worksheet to allow the site
to document corrective steps and a comment block to dispute the finding if
appropriate.

The audit staff should prepare the report as speedily as accuracy allows so that the
site staff can correct the problems discovered during the audit. Depending on
company policy, auditors should be ready to guide the audited site staff in correcting
deficiencies and help them measure the success of these efforts.

Management should continually supervise deficiencies that are turned up by the


audit until they are completely corrected. The motto for higher management armed
with the audit report should be, "follow up, follow up, follow up."

It must be kept in mind that as organizations evolve, their security structures will
change as well. With this in mind, the computer security audit is not a one-time
task, but a continual effort to improve data protection.

The audit measures the organization's security policy and provides an analysis of the
effectiveness of that policy within the context of the organization's structure,
objectives and activities. The audit should build on previous audit efforts to help
refine the policy and correct deficiencies that are discovered through the audit
process. Whereas tools are an important part of the audit process, the audit is less
about the use of the latest and greatest vulnerability assessment tool, and more
about the use of organized, consistent, accurate, data collection and analysis to
produce findings that can be measurably corrected.

Objectives of IS Audit:
The main objective for auditing information system are discussed below;

The internal controls must be Adequate and effectiveness in nature.

Allocate resources efficiently with the complete effectiveness.

Should provide the assurance that the computer related assets are completely
protected.

To ensure that the information is accurate and reliable and must be available on
request.

IS Audit should provide the reasonable assurance that all errors, omissions and
irregularities are prevented, detected, corrected and reported.

IS Auditing review the system to check compliance to policies, procedures and


standards.

Insure legal requirements are compiled, audit trails are incorporated, documentation
is completed and system data integrity and security is maintained.

One of the main objective of Information System Auditing is to identify the potential
of computer related frauds, embezzlements, misappropriations and thefts.

It also sees that the management takes corrective and preventing actions when
required.

Audit Evidence:

Audit evidence is data related to facts and circumstances that have to be examined
and assessed upon implementation of the audit task and which have been
ascertained during the implementation of the audit task by means of respective
techniques and procedures for collecting audit evidence.

The audit evidence should be:


o

Sufficient- the collected data in terms of quantity and quality should


substantiate the findings, evaluations and conclusions and to enable any user

of information to reach the same conclusion;


reliable - the collected data should be obtained from competent sources using

appropriate techniques and procedures;


relevant the collected data should correspond to the audit objectives and be

logically related to the findings, evaluations and conclusions;


reasonable the collected data should be obtained in an economic way and
the costs for its collection should be commensurable with the results to be

achieved.
Types of audit evidence and methods used to obtain it:
1. documentary evidence is obtained as a result of examination and control of
existing written data in the audited entity, as well as information gathered from
external sources;
2. analytical evidence is obtained as a result of analysis of the evidence collected;

3. witness evidence is obtained as a result of discussions, interviews, questionnaires,


explanations, etc. documented in working papers;
4. material evidence is obtained as a result of direct measurement and monitoring
documented in working papers.
The techniques and procedures for obtaining different types of audit evidence are
implemented in combination or separately, depending on the audit objectives.

Methodologies of IS Audit:
Audit methodology is a particular set of processes or procedures used to assess a companys
financial and business risk. Internal and external audits may be used to review specific

information relating to different operations of a company. Audits generally test financial


information for accuracy and validity. Some audits focus on non-financial aspects, however.
For example, business risk audits test departmental compliance with standard operating
procedures. Variances found during the audit may significantly impact the companys ability
to remain in business. Audit methodologies typically consist of four parts, including a
preliminary risk assessment, a planning stage, a testing phase and an exit meeting.
A preliminary risk assessment normally begins with an interview of company management.
This meeting usually determines the depth and breadth of the audit methodology because
company management generally will disclose their businesss highest risk areas. After the
meeting, auditors usually compile their notes and write up a formal agreement outlining the
scope of the audit. Changes to the audit methodology may require a separate addendum to
the original written agreement. Once the preliminary risk assessment phase is complete,
auditors typically begin the planning stage.
The planning stage of audit methodology introduces auditors to each business area they will
be auditing. Walk-throughs often are used during this stage of the audit to familiarize
auditors with company employees and their specific responsibilities. Additional weaknesses
discovered by auditors may be added to the original audit scope agreement. Company
management usually introduces the auditors to department managers, allowing auditors to
freely conduct interviews without undue influence. This protects the integrity of the audit
methodology. The testing phase normally begins once auditors have finished their audit
planning assessment.
The testing phase is the meat of the audit methodology process. Auditors actively review
financial information or business processes to determine any violations of the Generally
Accepted Accounting Principles (GAAP) or internal operational standards. A sample is usually
taken from large groups of information and tested independently by auditors. If too many
failures occur in the first test sample, the audit methodology may require auditors to test an
additional group of information or simply write up the initial sample as a failure or violation
of company standards. Once the testing phase is complete, auditors typically have an exit
meeting with company management.
The exit meeting represents the wrap-up phase of the audit methodology. This meeting
allows auditors and company management to review the audit results and discuss any major
violations or failures discovered during the testing phase. Formal audit opinions are usually

filed within a week of the audit exit meeting. Companies may also choose to dispute audit
findings during the exit meeting if the violations are minor or insignificant compared to the
companys aggregate operations. Audit methodologies may require companies to have a
second audit if too many violations were discovered during the first audit.

IS Audit Common Methodologies includes:

CobiT

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

ITSEC

Common Criteria (CC)

Comparison of all IS Audit Methodologies:

Information Systems Audit Methodology


Audit Methodology :
The IS audit work includes manual procedures, computer assisted procedures and fully
automated procedures, depending on whether it is around, through, with or a combination
of all these types of audit. In many cases, a combination of these techniques is required.
The IS auditors may utilize the manual procedures when they are more effective than the
other alternatives or when these procedures cannot be partially or fully automated. He/She
should also use computer assisted procedures known as Computer Assisted Audit Tools
(CAATs) because they permit the IS auditors to switch from the procedures based on
limited, random and statistical samples of records in a file to a procedure that includes
every record in a file.
Audit activity is broadly divided into 5 major steps for the convenience and
effective conduct of audit.
a) Planning IS Audit
b) Tests of Controls
c) Tests of Transactions
d) Tests of Balances
e) Completion of Audit
a) Planning IS audit:
Planning is the first step of the IS audit. IS auditors should plan the audit work in a manner
appropriate for meeting the audit objectives. As a part of the planning process, IS auditors
should obtain an understanding of the auditee department/ office/organisation and its
processes. It includes understanding of the objectives to be accomplished in the audit,
collecting background information, assigning appropriate staff keeping in mind skills,
aptitude etc. and identifying the areas of risk. Risk analysis of the operational system is

carried out to identify the system with highest risks, considering the critical nature of the
information processed through such system as well as the number and the value of the
transactions processed. This is to identify the systems having the highest risk and to decide
on the extent of the detailed analysis and testing to be conducted on those systems. In this
phase, IS auditors are required to understand the internal controls used within an
organization. Various techniques can be used to understand the internal controls viz. review
of previous audit reports/papers, interview/interaction with the management and
Information Systems personnel, observation of activities carried out within the Information
Systems function and review of Information Systems documentation.
b) Tests of Controls:
During this phase of IS audit, Internal Controls are tested to evaluate whether they operate
effectively. This includes testing of management controls and application controls. The
objective is to evaluate the reliability of the controls and find out weaknesses of the
controls for meeting the IS audit objectives. IS auditor is required to make
recommendations to rectify the weaknesses, observed during the course of an IS audit.
While carrying out tests of controls, the IS auditors should satisfy themselves regarding the
following aspects of controls.
Identification: Organization should identify the controls to minimize the occurrence of
unlawful events.
Implementation: Identified controls should be implemented.
Existence: Sometimes it happens that controls have been implemented, but in reality they
do not exist due to various reasons. For example, the organization may have stipulated that
the users should change their passwords every week. But, in reality this may not be
happening. Physical existence of the controls is equally important.
Adequacy: IS auditors should examine the adequacy of the controls. They should see that
the controls are adequate to cover all possible threats.
Documentation: All controls should be documented to make them effective.
Maintenance: Controls should be maintained intact on a continuous basis. For example,
only the provision and installation of the fire extinguishers, smoke detectors, UPS etc. do
not solve the problem. These instruments should be properly maintained, so that they serve
the purpose, as and when needed.
Monitoring: Controls should be monitored by means of strict supervision, surprise checks,
periodic inspection etc.

c)

Tests of Transactions:

Tests of Transactions are used to evaluate whether erroneous transactions have led to a
material misstatement of the financial information and whether the transactions have been
handled effectively and efficiently. The objective is to evaluate data integrity. Some of such
tests include the tracing of journal entries to their source documents, the examination of the
price files, the testing of computational accuracy, the study of the transaction log etc. These
tests are used to indicate the database systems effectiveness. CAATs are quite useful to
perform these tests.
d) Tests of Balances:
During this phase of IS audit, final judgement is made on the extent of the losses or
account
misstatement that occur when Information Systems fail to safeguard assets, maintain data
integrity and achieve system effectiveness and efficiency goals. As regards the
safeguarding of assets and data integrity objectives, the typical substantive tests used are
confirmation of the receivables, physical verification of inventory and recalculation of
depreciation on the fixed assets. Regarding the system effectiveness and system efficiency
objectives, the tests to be conducted are in the process of evolution. For example, the
shortcomings in the Information Systems Planning may have resulted in the purchase of
inappropriate hardware. The system may provide outputs, but not of the required standards
to make high quality decisions. During this phase of the IS audit, computer support is often
required. General Audit Software can be used to select and print confirmations; expert
systems can be used to estimate the likely bad debts and so on.
e) Completion of Audit:
This is the final stage of IS audit. Auditors are required to form their opinion, clearly
indicating their findings, analysis and recommendations. Potential IS audit findings should
be discussed with the appropriate/authorised personnel throughout the course of IS
auditing. Preliminary conclusions and the audit findings should be presented to the auditee
during an exit conference. All potential findings with sufficient merits and preliminary IS
audit recommendations should be included for discussion in the exit conference. The exit
meeting should document and include the auditees comments and questions concerning
the preliminary IS audit recommendations. The draft audit report should be the natural
extension of the exit conference materials alongwith with the discussions that took place
during the exit meeting. Once the auditees responses have been received, the final audit

report should be prepared and submitted to the designated authority/ management of the
organisation.
Work papers used in the auditing should be well organized, clearly written and address all
the areas included in IS audit. IS audit work papers should contain sufficient
evidence/information of the tasks performed and the conclusions reached, including the
results achieved, issues identified and authorized signatures approving the final opinion.
A typical audit report will include, among others, an introduction to the audit objectives,
scope, general approach employed, summary of the critical findings, the data to support the
critical findings, potential consequences of the weaknesses, auditees responses and
recommendations to rectify the weaknesses.