(No.1 for GAICWA & MEGICEC MASTER MINDS } 6. AUDITING OF INFORMATION SYSTEMS Q. (B) lo, Define Information Systems Control a) Controls are the Policies, Procedures, Practices and Organizational Structures, Designed to Provide Reasonable Assurance that Business Objectives will be achieved and that Undesired Events will be Prevented or Detected and Corrected, b) Controls pertaining specifically to the Information Systems are referred as Information Systems Controls. Q.No.2. What Is Information Systems Auditing? (B) ] It is the process of attesting Objectives that focus on asset safeguarding and data intearity and Management Objectives that include not only attest objectives but also effectiveness and efficiency objectives. Q.No.3. Why do we need Control and Audit of Information Systems? (OR) What are the factors influencing an organization towards control and audit of computers? (A) (PM, RTP M-16) = Control and Auct of computer based information ‘systems information Systems Auating Organizations Iimproved system ficient Improved system tiveness. Impact of control and audit influencing an organization a) To prevent Organizational Costs of Data Loss: Control and Audit of Information Systems is Tequired to protect Data Loss, as data is the most critical resource for an organization for its present as well as future development Improved Safeguarding ata nteatty b) To ensure Correct Decision Making: Control and Audit of Information Systems ensure that accurate data is available for managers to take high level decisions for detection, investigations and correction of out-of-control processes, c) To control Costs of Computer Abuse: Unauthorized access to computer systems, computer viruses, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, documentation etc.), and Control and Audit of Information Systems is required to control such access CA Final_17e_ISCA_Audit of Information Systems. 6.1Ph: 98851 25025/26 www.mastermindsindia.com d) Value of Computer Hardware, Software and Personnel: These are critical resources of an organization which has a credible impact on its infrastructure and business competitiveness, ) High Costs of Computer Error: In a computerised enterprise environment where many critical business processes are performed a data error during entry or process would cause great damage f) Maintenance of Privacy: Control and Audit of Information Systems ensures that data collected in a business process are adequately quarded and their privacy is maintained. These data could contain sensitive information about any individual, company etc. g) Controlled evolution of computer Use: Technology use and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive h) Information Systems Auditing: It is the process of attesting objectives that focus on asset safeguarding and data intearity and management objectives include not only attest objectives but also effectiveness and efficiency objectives. (Write short notes on Objectives of IS Audit) (N15-4M) i) Asset Safequarding Objectives: The information system assets (hardware, software, data files etc.) must be protected by a system of internal controls from unauthorized access. J) Data Integrity Objectives: The importance to maintain integrity of data of an organization depends on the value of information, the extent of access to the information and the value of data to the business from the perspective of the decision maker, competition and the market environment. ) System Effectiveness Oblectives: Audit of Inform@{Ga) Systems ensures effectiveness of @ system is continuously evaluated by auditing the et teristics and objective of the system to ascertain that it meets substantial user requirem 1) System Efficiency Objectives: ag = of Information Systems are required to optimize the use of various information resources (machine time, peripherals, system software and labor) along with the impact on the computing environment Q.No.4. Discuss the effect of computers on audit trail and audit evidance due to computerization? (OR) Write short notes on effect of computers on evidence collection for audit (A) [PM, N15 -6M, M15 - 4M, N14 - 6M RTP N13, MTP N46, M16,M15, N15] Changes to Evidence Collection: Due to advent of information systems, there are several issues which are faced by the auditor: {Discuss the issues relating to the performance of evidence collection and understanding the Reliability of controls. (OR) Compared to traditional audit, evidence collection has become more challenging with the use of computers to the auditors. What are the issues which affect evidence collection and understanding the reliability of controls in financial audit?) a) Data retention and storage: i) A client's storage capabilities may restrict the amount of historical data that can be retained “on-line” and readily accessible to the auditor. ii) If the client has insufficient data retention capacities the auditor may not be able to review a whole reporting period transactions on the computer system. b) Absence of input documents: i) Transaction data may be entered into the computer directly without the presence of supporting documentation e.g. input of telephone orders into a telesales system This results in less paperwork being available for audit examinat CA Final_17e_ISCA _ Audit of Information Systems 6.2No.1 for CACWA & MEC/CEC MASTER MINDS } ¢) Lack of a visible audit trail : i) The audit trails in some computer systems may exist for only a short period of time. li) The absence of an audit trail will make the auditor's job very difficult and may call for an audit approach which involves auditing around the computer system by seeking other sources of evidence to provide assurance that the computer input has been correctly processed and output d) Lack of visible output i) The results of transaction processing may not produce a hard copy form of output, ie. a printed record, ii) In the absence of physical output it may be necessary for the auditor to directly access the electronic data retained on the client's computer. This is normally achieved by having the client provide a computer terminal and being granted read" access to the required data files e) Audit evidence. i) Certain transactions may be generated automatically by the computer system. For example, a fixed asset system may automatically calculate depreciation on assets at the end of each calendar month ) The depreciation charge may be automatically transferred (journalized) from the fixed assets register to the depreciation account and hence to the client's income and expenditure account f) Legal evidence i) Advent of information systems also causes it legal issues, For example, the admissibility of the e\ provided by a client's computer system may need special consideration Changes to Evidence Evaluation: Eval, ASS eta an vderc to tase conseauncs 2) System generated transactionse@Yicial systems may have the abilty to itiate, approve and record financial transactions. b) Automated transaction processing: i) Automated transaction processing systems can cause the auditor problems. ii) For example when gaining assurance that a transaction was properly authorized or in accordance with delegated authorities. c) Systematic Error : i) Computers are designed to carry out processing on a consistent basis. li) Given the same inputs and programming, they invariably produce the same output. This consistency can be viewed in both a positive and a negative manner. ty for controls? (B) a) Management is responsible for establishing and maintaining control to achieve the objectives of effective and efficient operations, and reliable information systems. b) Management should consistently apply the internal control to meet each of the internal control objectives and to assess internal control effectiveness. c) The number of management levels depends on the company size and organization structure, but generally there are three such levels senior, middle and supervisory. d) Senior management is responsible for strategic planning and objectives, thus setting the course in the lines of business that the company will pursue. CA Final_17e_ISCA_Audit of Information Systems. 6.3