(No.1 for GAICWA & MEGICEC MASTER MINDS }
6. AUDITING OF INFORMATION SYSTEMS
Q. (B)
lo,
Define Information Systems Control
a) Controls are the Policies, Procedures, Practices and Organizational Structures, Designed to
Provide Reasonable Assurance that Business Objectives will be achieved and that Undesired
Events will be Prevented or Detected and Corrected,
b) Controls pertaining specifically to the Information Systems are referred as Information Systems
Controls.
Q.No.2. What Is Information Systems Auditing? (B) ]
It is the process of attesting Objectives that focus on asset safeguarding and data intearity and
Management Objectives that include not only attest objectives but also effectiveness and efficiency
objectives.
Q.No.3. Why do we need Control and Audit of Information Systems? (OR) What are the factors
influencing an organization towards control and audit of computers? (A) (PM, RTP M-16)
=
Control and Auct of computer based information
‘systems information Systems Auating
Organizations
Iimproved system
ficient
Improved system
tiveness.
Impact of control and audit influencing an organization
a) To prevent Organizational Costs of Data Loss: Control and Audit of Information Systems is
Tequired to protect Data Loss, as data is the most critical resource for an organization for its
present as well as future development
Improved Safeguarding
ata nteatty
b) To ensure Correct Decision Making: Control and Audit of Information Systems ensure that
accurate data is available for managers to take high level decisions for detection, investigations
and correction of out-of-control processes,
c) To control Costs of Computer Abuse: Unauthorized access to computer systems, computer
viruses, unauthorized physical access to computer facilities and unauthorized copies of sensitive
data can lead to destruction of assets (hardware, software, documentation etc.), and Control and
Audit of Information Systems is required to control such access
CA Final_17e_ISCA_Audit of Information Systems. 6.1Ph: 98851 25025/26 www.mastermindsindia.com
d) Value of Computer Hardware, Software and Personnel: These are critical resources of an
organization which has a credible impact on its infrastructure and business competitiveness,
) High Costs of Computer Error: In a computerised enterprise environment where many critical
business processes are performed a data error during entry or process would cause great
damage
f) Maintenance of Privacy: Control and Audit of Information Systems ensures that data collected in
a business process are adequately quarded and their privacy is maintained. These data could
contain sensitive information about any individual, company etc.
g) Controlled evolution of computer Use: Technology use and reliability of complex computer
systems cannot be guaranteed and the consequences of using unreliable systems can be
destructive
h) Information Systems Auditing: It is the process of attesting objectives that focus on asset
safeguarding and data intearity and management objectives include not only attest objectives but
also effectiveness and efficiency objectives.
(Write short notes on Objectives of IS Audit) (N15-4M)
i) Asset Safequarding Objectives: The information system assets (hardware, software, data files
etc.) must be protected by a system of internal controls from unauthorized access.
J) Data Integrity Objectives: The importance to maintain integrity of data of an organization
depends on the value of information, the extent of access to the information and the value of data
to the business from the perspective of the decision maker, competition and the market
environment.
) System Effectiveness Oblectives: Audit of Inform@{Ga) Systems ensures effectiveness of @
system is continuously evaluated by auditing the et teristics and objective of the system to
ascertain that it meets substantial user requirem
1) System Efficiency Objectives: ag = of Information Systems are required to
optimize the use of various information resources (machine time, peripherals, system
software and labor) along with the impact on the computing environment
Q.No.4. Discuss the effect of computers on audit trail and audit evidance due to
computerization? (OR) Write short notes on effect of computers on evidence collection for
audit (A) [PM, N15 -6M, M15 - 4M, N14 - 6M RTP N13, MTP N46, M16,M15, N15]
Changes to Evidence Collection: Due to advent of information systems, there are several issues
which are faced by the auditor:
{Discuss the issues relating to the performance of evidence collection and understanding the
Reliability of controls. (OR) Compared to traditional audit, evidence collection has become
more challenging with the use of computers to the auditors. What are the issues which affect
evidence collection and understanding the reliability of controls in financial audit?)
a) Data retention and storage:
i) A client's storage capabilities may restrict the amount of historical data that can be retained
“on-line” and readily accessible to the auditor.
ii) If the client has insufficient data retention capacities the auditor may not be able to review a
whole reporting period transactions on the computer system.
b) Absence of input documents:
i) Transaction data may be entered into the computer directly without the presence of supporting
documentation e.g. input of telephone orders into a telesales system
This results in less paperwork being available for audit examinat
CA Final_17e_ISCA _ Audit of Information Systems 6.2No.1 for CACWA & MEC/CEC MASTER MINDS }
¢) Lack of a visible audit trail :
i) The audit trails in some computer systems may exist for only a short period of time.
li) The absence of an audit trail will make the auditor's job very difficult and may call for an audit
approach which involves auditing around the computer system by seeking other sources of
evidence to provide assurance that the computer input has been correctly processed and
output
d) Lack of visible output
i) The results of transaction processing may not produce a hard copy form of output, ie. a
printed record,
ii) In the absence of physical output it may be necessary for the auditor to directly access the
electronic data retained on the client's computer.
This is normally achieved by having the client provide a computer terminal and being granted
read" access to the required data files
e) Audit evidence.
i) Certain transactions may be generated automatically by the computer system.
For example, a fixed asset system may automatically calculate depreciation on assets at the
end of each calendar month
) The depreciation charge may be automatically transferred (journalized) from the fixed assets
register to the depreciation account and hence to the client's income and expenditure account
f) Legal evidence
i) Advent of information systems also causes it legal issues,
For example, the admissibility of the e\ provided by a client's computer system
may need special consideration
Changes to Evidence Evaluation: Eval,
ASS eta an vderc to tase conseauncs
2) System generated transactionse@Yicial systems may have the abilty to itiate, approve and
record financial transactions.
b) Automated transaction processing:
i) Automated transaction processing systems can cause the auditor problems.
ii) For example when gaining assurance that a transaction was properly authorized or in
accordance with delegated authorities.
c) Systematic Error :
i) Computers are designed to carry out processing on a consistent basis.
li) Given the same inputs and programming, they invariably produce the same output.
This consistency can be viewed in both a positive and a negative manner.
ty for controls? (B)
a) Management is responsible for establishing and maintaining control to achieve the objectives of
effective and efficient operations, and reliable information systems.
b) Management should consistently apply the internal control to meet each of the internal control
objectives and to assess internal control effectiveness.
c) The number of management levels depends on the company size and organization structure, but
generally there are three such levels senior, middle and supervisory.
d) Senior management is responsible for strategic planning and objectives, thus setting the course in
the lines of business that the company will pursue.
CA Final_17e_ISCA_Audit of Information Systems. 6.3