Information System Audit
Make the foundation strong
Companies appreciate the benefits they gain from an effective and
updated information system. However, frequently, risks emerging as new
technologies are implemented are not fully conceived, neither is that issue
considered in the risk analysis of business processes. Still, successful
organizations perceive and manage the risks related to the implementation of
new technologies and establish the required quality, reliability and security
demands to their information systems. At the same time, they demand that the
above mentioned requirements be realized at an expense as small as possible.
Since it is becoming a common practice that enterprises and
organization do not themselves provide solutions to the problems of
information technology and they make more use of the services of information
system software development companies, a demand for highly qualified IT
personnel in companies is decreasing.
IT Audit / Information system Audit (ISA) helps them to establish
tasks for a company's information system, order an information system and check
how well the information system developed conforms to the requirements set.
ISA
looks after:
·
Integrity:
It provides assurance to both management and external report users that the
information produced by the organization's information systems can be relied
and trusted upon to make business decisions.
·
Availability: This
implies ensuring that the organization has measures in place to ensure business
continuity and ensuring that recovery can be made in timely manner from
disasters so that information is available to users as and when required.
·
Reliability:
To provide assurance that the system consistently operates and performs its
stated functions as expected.
·
Compliance with legal and
regulatory requirements: Management and key stakeholders
require assurance that necessary compliance procedures have been put in place,
as there is a potential risk that the organization could incur penalties should
legal and regulatory procedures not be enforced.
How
does ISA fulfil the need? – By understanding the following:
- Understands how well management capitalizes on the use of information technology to improve its important business processes.
- Understands the pervasive effect of information technology on the client's important business processes, including the development of the financial statements and business risks related to these processes.
- Understands how the client's use of information technology for the processing, storage and communication of financial information affects the internal control systems an our consideration of inherent risk and control risk.
- Identifies and understands the controls, that management uses to measure, manage and control the information technology processes.
- Concludes on the effectiveness of controls over the IT processes that have a direct and important impact on the processing of financial information.
- If the performance audit has an IT focus, the objective will be to seek assurance that all aspects of the IT systems, including necessary controls, are being effectively enforced.
- The performance audit could alternatively be examining the efficiency and effectiveness of a business process/government program and as such IT audit is involved because IT is considered critical in the organization being able to deliver those services.
- As such, the focus of the IT audit is to provide assurance that the IT systems can be relied upon to help deliver those services.
- The efficiency and
effectiveness of those service are then examined from an non-IT
perspective after considering the impact that IT has on the ability of the
organization to deliver those services.
In relation to information and communications technology (ICT), proactive
risk management generally implies the need to design and implement appropriate
technical, procedural and physical controls, in other words information
security control systems i.e. governance.
Information security managers develop, implement and operate information
security control systems for ICT governance. IT auditors review ICT
governance/control systems in order to ascertain whether risks (including
information security risks) are minimised. These may sound similar but
are fundamentally different roles:
·
Information security managers have executive
responsibilities for securing the organisation’s information assets against
hackers, malware and other threats.
·
Auditors review, advice, report and
persuade.
·
Executive managers ‘execute’ … and carry the
can.
But all there common ground is to minimize the risks.
Who can do IS audit?
Information
Systems Audit and Control Association (ISACA) has laid down some generic requirements
for IS audit which are applicable to all categories of IS audits. Like Charted
accountant (CA), certified internal auditor (CIA), there is an international
qualification called certified Information system Auditor (CISA) to perform
ISA.
Information
System Audit is not compulsory in our country. Therefore specific qualification
as mentioned above may not be mandatory, however it is recommended, as the
future of the legal requirements with regard to organizations’ emerging systems
in our country is not going to be the same as now.
Information
Systems is the
heart of any organization. It's success depends on its methodologies and its
process framework. IS audit evaluates the same and controls any thing that
deviates from company’s IS objective. This minimizes the risk. Teamed up with
the right infrastructure, organization who have properly planned information
systems in place, are the one who gain maximum competitive advantage.
