Information Systems Audit

(Chapter 1)
 Contents
• Introduction
• Need for control and audit of computers
• Information systems auditing defined
• Effects of computer on internal controls
• Effect/advantages of computer in audit techniques
 Introduction
Auditing is the process of assessment of financial, operational,
strategic goals and processes in organizations to determine whether
they are in compliance with the stated principles ,regulatory norms,
rules and regulations.
• Aim of information audit is to safe guard the assets, to maintain data
integrity, to achieve system effectiveness and to achieve system
efficiency.
• The audit can be conducted internally by employees of the
organization, or externally by an outside firm.
Need for control and Audit of computers
computers assist in the processing of data and decision making.
Factors:
1)Organizational cost of data loss
2)Incorrect decision making
3)Cost of computer abuse
4)Value of hardware, software
5)High costs of computer error
6)Maintainance of privacy
7)Controlled evolution of computer use
 Organizational cost of data loss
• Data provides the organization with an image of itself its
environment, its history and its future.
• If the Data is inaccurate or lost the organization can incur substantial
losses.
• There should be proper backup of computer files.
 Incorrect decision making
• Decision making depends on the quality of data and quantity of
decision rules that exists in the computer based information system.
• Inaccurate data causes costly, unnecessary investigations and out of
control process can also remain undetected.
Example:
If the algorithm that the bank uses to give interest rates if incorrect
the bank will undergo substantial loss.
• Not just management but parties who have interest in an
organization also have an impact of incorrect data.
Example:
Shareholders might make poor investment decisions if they are
provided with inaccurate financial information.
 Costs of computer abuse
Hacking:
A person gaining unauthorized access of system to modify or delete
program or to disrupt services.
Viruses:
It is a program that attaches itself to executable files or data files and
replicate themselves and causes disruption.
Illegal physical access:
A person gaining unauthorized physical access in the system.(can
cause physical damage or make copies of data)
Abuse of privileges:
A person uses privileges for unauthorized purposes.(making copies of
sensitive data they are permitted to access)
Consequences of Abuse:
1)Destruction of assets
2)Theft of assets
3)Modification of assets
4)Privacy violation
5)Unauthorized use of assets
Value of computer hardware and software
• In addition to data Hardware and software are critical organizational
resources.
• Some intentional or unintentional loss of hardware can cause
disruption in functioning of organization
• If the software is corrupted the confidential information could be
stolen could be disclosed to competitors.
 High cost of computer error
• Computers automatically perform many critical functions.
Example:
Computers allow banks to provide ATM services, online banking and
accurate tracking and verification of funds.
 Maintenance of privacy
• All the important data of an individual like financial information,
personal data everything is stored on computers
• If there is some breach in the system all the private data will be gone
in seconds thus making it important to protect and maintain the
privacy.
 Impact of ISA
1)Improved safeguard of assets
2)Improved data integrity
3)Improved system effectiveness
4)Improved system efficiency
 Asset safeguarding objective
• The information system assets of an organization includes hardware,
software, people(knowledge),data files and system documentation.
• These assets play a major role in organizational growth thus making it
necessary to safeguard these assets.
 Data integrity objective
• Data integrity is an fundamental concept of information system
auditing.
• It is a state implying data has certain attributes like: completeness,
soundness, purity and veracity.
• If the integrity of an organization’s data is low it could suffer a great
loss.
Three major factors affect the value of data :
1)The value of information content of the data item for individual
decision makers.
2)The extent to which data item is shared among decision makers.
3)The value of data item to competitors.
 System effectiveness objective
• The effectiveness is the measure for deciding whether the system
provides the desired output or not. Being effective means producing
the right output in terms of quantity and quality.
• Effectiveness auditing is done usually after the system has been
running for sometime.
• It can be carried out during the design stages of system.
 System efficiency objectives
• The efficiency indicates the manner in which the inputs are used by
the system. Being efficient means the system uses inputs in a `right'
way.
• An efficient information system uses minimum resources to achieve
its required objectives.
• The goals can be achieved only if an organization’s management sets
up a system of internal control.
• There is a huge impact of computers on the internal control
components.
Effects of computers on internal
control
Components of internal control
• Separation of duties
• Delegation of authority
• Competent and trustworthy personal
• System of authorizations
• Adequate documents and records
• Physical control over assets and records
• Adequate management supervision
• Independent checks on performance
 Separation of duties
• In manual system separate individuals must be responsible for
initiating transactions, recording transactions and maintaining the
assets.
• It prevents and detects errors and irregularity
• Separation of duties must exist in different forms
• The capability to run the program and change the program should be
separated(privileges).
Delegation of authority and responsibility
In a computer system delegating authority and responsibility is
difficult because some resources are shared among various users.
Example:
In a database various users can access the same data. But by this the
integrity is somehow violated. It is not possible to trace who is
responsible for corrupting the data and who is responsible for
identifying and correcting the errors.
 Competent and trustworthy personnel
• Substantial power is given to persons responsible for computer based
information system developed, implemented, operated and
maintained within organization.
• Sometimes the personnel not only lacks skills but also well developed
sense of ethics.
• In computer system it is difficult to assess whether the authority
assigned to individual is consistent with the management’s goals.
Example:
Users can formulate queries on database that could fetch them
contents of confidential data.
 System of authorizations
Management issues two types of authorizations:
1) general authorizations
2)specific authorizations
Adequate documents and records

The systems should be designed in a way to maintain

a record of all events and should be easily accessible
in order to have effective auditing process.
 Physical control over assets and records

Computer system differs from manual systems in a way they

concentrate all the information systems assets and records of an
organization.
Example:
In manual system if a person wants to commit fraud he’ll have to go
to different physical locations whereas in computer based all the data
will be available in single site. Thus making it easy to execute the
fraud.
Adequate management supervision
• In computer based system supervision needs to be
carried out remotely.
• Managers must examine and do periodic auditing to
check for unauthorized actions.
 Independent checks on performance
• The control emphasis should be on ensuring the veracity of program
code.
• Auditors must must evaluate controls established for program
development, modification operation and maintenance.
Effects of computers on auditing

1)Changes to evidence collection

2)Changes to evidence evaluation
Foundation of information systems auditing
1)Traditional auditing
2)Information system management
3)Behavioral science
4)Computer science
Advantages of using computers in audit
techniques
• Increase the accuracy of audit tests
• Perform audit tests more efficiently
• Enable the audit team to test a large volume of data accurately and quickly
• Reduce the level of human error in testing
• Provide a better quality of audit evidence
Thank you