JOMO KENYATTA UNIVERSITY OF AGRICULTURE

BACHELOR OF BUSINESS INFORMATION TECHNOLOGY Y4S2

BIT 2318 INFORMATION SYSTEM AUDIT (45 CONTACT HOURS)

PROFESSIONAL CERTIFICATIONS
 Certified Information Systems Auditor (CISA)
 Certified in Risk and Information Systems Control (CRISC)
 Certified Information Privacy Professional (CIPP)
 Certified Information Systems Security Professional (CISSP)
 Certified Information Security Manager (CISM)
 Certified Internal Controls Auditor (CICA)
 Forensics Certified Public Accountant (FCPA)
 Certified Fraud Examiner (CFE)
 Certified Professional Internal Auditor (CPIA)
 Certified Information Technology Professional (CITP)

INTRODUCTION TO INFORMATION SYSTEMS AUDIT

Auditing is an evaluation of a person, organization, system, process, enterprise, project or product, performed
to ascertain the validity and reliability of information; and also to provide an assessment of a system’s internal
controls. Auditing is also described as a continuous search for compliance.
IT auditing refers to the part of an audit that involves the computerized elements of an information system.
It is an examination of the management controls within an Information technology (IT) infrastructure.
It is the process of collecting and evaluating evidence to determine whether an information computer system
safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources
efficiently.
The purpose of IS audit is to review and provide feedback, assurances and suggestions.
IT audit’s role is to provide an opinion on the controls which are in place to provide confidentiality, integrity
and availability for the organization’s IT infrastructure and data which supports the organization’s business
processes.

The objectives of IT audits include:

 Evaluating the reliability of data from IT systems.
 Ascertaining the level of compliance with the applicable laws, policies and standards in relation to IT.
 Checking if there are instances of excess, extravagance, gross inefficiency tantamount to waste in the use
and management of IT systems.

BASIC CONCEPTS
Auditor's Independence: Independence is the keystone upon which the respect and dignity of a profession is
based. Independence implies that the judgement of a person is not subordinate to the wishes or directions of
another person who might have engaged him or to his own self interest.
True and Fair: The phrase “true and fair” in the auditor’s report signifies that the auditor is required to
express his opinion as to whether the state of affairs and the results of the entity as ascertained by him in the
course of his audit are truly and fairly represented.
Audit Evidence: Information used by the auditor in arriving at the conclusions on which the auditor’s opinion
is based.
Required Knowledge
 IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
 IS auditing practices and techniques
 Techniques to gather information and preserve evidence (e.g. observation, inquiry, interview, computer-
assisted audit techniques (CAATs), electronic media)
 The evidence life cycle (e.g., the collection, protection, chain of custody)
1
 Control objectives and control related to IS (e.g., COBIT)
 Risk assessment in an audit context
 Audit planning and management techniques
 Reporting and communication techniques (e.g. facilitation, negotiation, conflict resolution)
 Control self assessment (CSA)
 Continuous audit techniques

Types of IT audits
Different taxonomies have been proposed depending on authorities to distinguish the various types of IT
audits.
The spectrum of IT audits can generally be put in five categories of audits:
 Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient,
and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at
all levels of a system's activity. System and process assurance audits form a subtype, focussing on business
process-centric business IT systems. Such audits have the objective to assist financial auditors.
 Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure
timely, accurate, and efficient processing of applications under normal and potentially disruptive
conditions.
 Systems Development: An audit to verify that the systems under development meet the objectives of the
organization, and to ensure that the systems are developed in accordance with generally accepted standards
for systems development.
 Management of IT and Enterprise Architecture: An audit to verify that IT management has developed
an organizational structure and procedures to ensure a controlled and efficient environment for information
processing.
 Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that
telecommunications controls are in place on the client, server, and on the network connecting the clients
and servers.
 Forensic Audit involves the use of auditing and investigative skills to situations that may involve legal
implications. Forensic audits may be required in the following instances:
 Fraud investigations involving misappropriation of funds, money laundering, tax evasion and insider
trading
 Quantification of loss in case of insurance claims
 Determination of the profit share of business partners in case of a dispute
 Determination of claims of professional negligence relating to the accountancy profession
Findings of a forensic audit could be used in the court of law as expert opinion on financial matters.

STAKEHOLDERS
The various stakeholders interested in audits are:-
 Professional associations and organizations, and government entities recognized the need for IT control
and auditability. Investors and shareholders:  These people own the organisation but, in many cases, will
not be closely involved in its day to day running. 
 Company accountants/Finance Directors: These people are essentially in charge of the finances of the
organisation being audited and, for them, going through an audit is mostly about confidence and peace of
mind.  Having an independent expert poring over your figures might be a little bit uncomfortable at times,
but the reward is in making sure that your numbers are true and fair. 
 Financial analysts:  These people help to determine what an organisation’s shares are worth and,
therefore, its value as a whole.  They do so by independently analysing and commenting on its financial
position as well as making predictions about its future success.  For financial analysts, audited accounts
are a vital tool, since they provide unbiased and independently checked information on which to base their
work.
 Regulators:  These independent organisations are tasked with overseeing wide range of industries to
ensure individual firms are operating fairly and legally.  They may make use of audited accounts as part of
the ongoing monitoring of each firm or to help with more specific investigations.
2
 Other stakeholders: Depending on the organisation being audited, the outcome of an audit process may
be interesting to a whole range of other stakeholders, such as politicians, journalists and the general public.

Main feature of IS Auditing Environment

 All tasks are performed electronically.
 Electronic data interchange and online transaction are expanded
 The auditing process is carried out in continuous form not at the end of the year.
 Technological techniques such as neural networks to detect fraud and errors are employed
 Software agents could be used to collect the electronic audit evidence

Tasks of an IS auditor
 Develop and implement a risk based IS audit strategy for the organization in compliance with IS audit
standards, guidelines and best practices
 Plan specific audits to ensure that IT and business systems are protected and controlled
 Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit
objectives
 Communicate emerging issues, potential risks and audit results to key stakeholders
 Advise on the implementation of risk management and control practices within the organization while
maintaining independence

The Audit Charter

 The Audit Charter is a definition of the organizational independence of the internal audit, including
accountability of the audit and provision for objective assessment of its resource requirements.
 It is a recognition of the control environment of the organization (operations, resources, services,
responsibilities to external entities)
 The internal audit's right of access to all records, assets, personnel and premises, including those of partner
organizations
 The internal audit's authority to obtain the information and explanations it considers necessary to fulfill its
responsibilities
 The charter should be approved at the highest management level and by the audit committee if available.
 Once the charter has been established, any changes must be thoroughly justified.

The charter should include:

 A clear statement of management's responsibility and objectives for the audit function
 Management's delegation of authority to the audit function
 The overall authority, scope and responsibilities of the audit function
 The reporting lines and relationships

Organizational Requirements
• The role of the IS audit function should be established by an audit charter.
• IS audit is most likely to be a part of internal audit; therefore, the audit charter may include other audit
function
• This charter should state clearly management's responsibility and objectives for, and delegation of authority
to, the IS audit function
• This document should outline the overall authority, scope and responsibilities of the audit function
• The highest level of management and the audit committee, if available, should approve this charter. Once
established, this charter should be changed only if the change can be and is thoroughly justified

Rights of IS Auditors
1. The IS auditor has the right to have an engagement letter or audit charter specifying the scope, objective
and terms of reference of the audit

3
2. The IS auditor has the right to access appropriate information and resources to effectively and efficiently
complete the audit
3. The IS auditor has the right to believe that management has established appropriate controls to prevent,
deter and deter fraud unless the tests and evaluation carried on by the IS auditor prove otherwise
4. The IS auditor has the right to call for such information and explanations deemed necessary and
appropriate to permit objective completion of the audit
5. The IS auditor has the right to retain the working files, documents, audit evidences, etc., obtained during
the course of the audit, in support of his/her conclusions and to use the same as the basis of reference in
case of any issues or contradictions
Limitations
1. The IS auditor should have sufficient knowledge to identify the indicators of fraud but may not be
expected to have the expertise of the person whose primary responsibility is detecting and investigating
fraud
2. The IS auditor should be alert to the significant risks that might affect objectives, operations or resources.
However, assurance procedures alone, even when performed with due professional care, do not guarantee
that all significant risks will be identified
3. Where the IS auditor is not able to obtain required information, is restricted from accessing resources or
is in any way restrained from carrying out his/her function, the IS auditor should escalate his/her
concerns to appropriate senior levels in management. The IS auditor should conduct the audit in a
professional manner
4. Where the IS auditor has utilized the services of an external expert, the IS auditor should evaluate the
usefulness and sufficiency of work performed by such external expert and also perform appropriate
testing to confirm the findings of the external expert
5. The IS auditor is not responsible for implementing corrective actions

IT Audit Program
The following are basic steps in performing the Information Technology Audit Process:
1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up
6. Reports
An effectively planned and developed IT audit program should:
 Identify areas of greatest IT risk exposure to the organization.
 Promote the confidentiality, integrity and availability of information systems.
 Determine the effectiveness of management's planning and oversight of IT activities.
 Evaluate the adequacy of operating processes and internal controls.
 Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control
procedures.
 Recommend appropriate corrective action to address deficient internal controls.
 Follow-up with management to ensure that recommended corrective actions have been effectively
implemented.

Audit Documentation
In addition to the audit plan, the documentation for an IS audit includes:
 A description or diagram of the IS environment
 Audit programs
 Minutes of meetings
 Audit evidence
 Findings
 Conclusions and recommendations
4
 Any report issued as a result of the audit work
 Supervisory review comments, if any

At a minimum, documentation should include a record of the:

 Planning and preparation of the audit scope and objectives
 Description and/or walkthroughs on the scoped audit area
 Audit program
 Audit steps performed and audit evidence gathered
 Use of services of other auditors and experts
 Audit findings, conclusions and recommendations
 Evidence of supervisory review and the report that was issued as a result of the audit work.
 Also necessary is any audit information required by contractual stipulations, regulations, laws and
professional standards.

All information systems audits are based on:-

• Evidence
• Independence
• Audit risk
• IS and general audit responsibilities for fraud
• Assurance
• Materiality Concepts for Auditing Information Systems
• It should be linked to Standards hence the need for Guidelines

Audit Evidence
Audit evidence is any information used by the auditor to determine whether the information being audited is
stated in accordance with established criteria. All the information used by the auditor in arriving at the
conclusions on which the audit opinion is based. The determinants of persuasiveness of evidence are:
 Competence – the degree to which evidence can be considered trustworthy.
 Sufficiency – amount of evidence is enough to form a reasonable opinion.
 Relevance – must pertain to the audit objective being tested.
 Independence – evidence from outside the client is a stronger form of evidence
 Effectiveness of client internal controls – good internal controls can mean better information.
 Auditor direct knowledge – auditor determinations are stronger that client comments.
 Qualifications – individual is a qualified source.
 Degree of objectivity – objective evidence is stronger than subjective evidence.
 Timeliness – balance sheet account evidence is better when it is collected around the date of the
financial statement. Income statement evidence should sample entire period.

Types of Audit Evidence

A. Physical examination - Inspection or count by the auditor of a tangible asset. It is different from
examining documentation since the asset has inherent value.
B. Confirmations - The receipt of a written or oral response from an independent third party. Auditor has
client request that the third party respond directly to the auditor. Positive Confirmations – means Asks
for response even if the balance is correct. Negative Confirmations - Asks for a response only if
balance is incorrect.
C. Documentation - Examination of documents that support a recorded transaction or amount. The
direction of testing must be from the recorded item to the supporting document. Tests existence or
occurrence
D. Analytical Procedures - Audits studies relationships among data. Unusual fluctuations occur when
significant difference are not expected but do exist or when significant differences are expected but do
not exist. Required during the planning and completion phases on all audits.
5
 E. Inquiries of the Client - Auditor obtains information from the client in response to questions. Although
much evidence is obtained through inquiry, it cannot be regarded as conclusive and may be biased in
the client’s favor.
F. Reperformance - Reperformance involves rechecking a sample of the computations and transfers of
information. Rechecking of computations consists of testing mathematical accuracy. Rechecking of
transfers of information involves seeing if information is recorded consistently in the accounting
records.
G. Observation - Auditor witnesses the physical activities of the client. Differs from physical
examination because physical examination counts assets, while observation focuses on client
activities.

Management Response
In response to the audit results, management should commit to a program of corrective action, with dates by
which the action plan will be implemented.
Although management is responsible for deciding the appropriate actions to be taken in response to the
reported audit findings, the IS auditor is responsible for assessing management actions for timely resolution of
the audit findings.
However, senior management may decide to assume the risk of not correcting the reported conditions because
of cost or other considerations.
The IS auditor should follow up to determine whether such a decision has been made.

Computer fraud is the act of using a computer to take or alter electronic data, or to gain unlawful use of a
computer or system.
Types of computer fraud include:
 Distributing hoax emails
 Accessing unauthorized computers
 Engaging in data mining via spyware and malware
 Hacking into computer systems to illegally access personal information.
 Sending computer viruses or worms with the intent to destroy or ruin another party's computer or system.
Phishing, social engineering, viruses, and DDoS attacks are fairly well-known tactics used to disrupt service or
gain access to another's network, but this list is not inclusive.

CAT 1
1. Explain the different type of reports which are produced by IS auditors. [6 Mks]
2. Give any six Emerging Issues in Information Systems Audit. [6 Mks]
3. Explain the steps followed in auditing financial information systems [6 Mks]
4. Give six Audit functions which specialized software may perform [6 Mks]
5. Explain the impact of an IT environment on the audit process. [6 Mks]