Académique Documents
Professionnel Documents
Culture Documents
CA Bharatish Ballal
Processes, people and systems are closely linked with information systems. Even
measurement and recognition of external events need information systems.
Therefore, under the new Accord, the job of an audit and control practitioner shall
become more onerous and challenging.
Therefore a financial audit cannot assure that the information system is foolproof as
financial auditor is not expert in information technology. Hence an expert should
provide an opinion that information system is risk-free. This is where Information
System Audit (IS Audit) comes into picture.
Meaning of IS audit
Information systems audit is a part of the overall audit process, which is one of
the facilitators for good corporate governance. While there is no single universal
definition of IS audit, Ron Weber has defined it as "the process of collecting and
evaluating evidence to determine whether a computer system (information
system)
• Safeguards assets
IS audit often involves finding and recording observations that are highly
technical. Such technical depth is required to perform effective IS audits. At the
same time it is necessary to translate audit findings into vulnerabilities and
businesses impacts to which operating managers and senior management can
relate. Therein lies a main challenge of IS audit.
Scope of IS Audit
Elements/components of IS Audit
The significance of IS Audit has been considered by RBI and has made
mandatory now for all computerized banks to get their system audited by an
Information System Auditor. RBI has stipulated that such IS Auditor should have
adequate qualification like CISA of ISACA of US or DISA of ICAI (The Institute of
Chartered Accountants of India)
RBI also has provided a checklist of such IS Audits to be undertaken by IS
Auditors of Banks
Most of the Indian Banks have entrusted the job of IS Audit to qualified persons.
IS Audits in banks are basically categorized into
• Core IS Audits
• Non-Core IS Audits
• Migration audits
o Pre-migration
o Post-migration
• ATM audits
In a Core IS Audit done at Centralized Data Center level .Entire Information
System of bank is audited. All the aspects of IS Audit explained in the earlier
sections are attended by the IS Auditor
Non-core IS audit done at branch level of a bank and only branch transactions
are checked. Physical security controls at the branch are checked to the fullest
extent. Controls as to password management at the branch level are also
checked. Other aspects as to operating system or packages are checked only for
the changes in parameters at branch level.
In a pre-migration audit, usually before migration to Core Business Solution
(CBS) environment, IS auditor verifies the integrity of data being transferred to
CBS
In a post-migration audit, usually done by a person not involved in CBS
implementation, integrity of data transferred to CBS are verified
In ATM audits, only the security of ATM and integrity of its processing is verified
by the IS auditor.
Non-core audits, ATM audits at branch level are some times covered by branch
financial auditors, concurrent auditors or inspectors or even by statutory auditors
at present in many banks.
Shortfalls in the present information system audits at branch level in Indian banks
Conclusion