+

INFORMATION SYSTEM AUDIT

PROCESS
BY DR. SELASI OCANSEY
 Learning Objectives
1. Describe what audit universe is, and illustrate example.

2. Define control objectives for information and related technology and

explain why they are useful for organizations and auditors.

3. Explain what a risk assessment is and its significance to the audit function.
Illustrate an example of a risk assessment following the National Institute of
Standards and Technology methodology.

4. Describe an audit plan and its components. Illustrate examples of IT audit

documentation supporting a financial statement audit.

5. Define the audit process and describe the phases of an IT audit

engagement.

6. Discuss other types of audits conducted in IT.

 THE IS AUDIT PROCESS
The Audit of an IS environment to evaluate
the systems, practices and operations may
include one or both of the following :
Assessment of internal controls within the IS
environment to assure validity, reliability, and
security information.
 Assessment of the efficiency and effectiveness of
the IS environment in economic terms.
 THE IS AUDIT PROCESS
 The IS audit process is to evaluate the adequacy of
internal controls with regard to both specific computer
programs and the data processing environment as a
whole. This includes evaluating both the effectiveness
and efficiency.
 The focus (scope and objective) of the audit process is
not only on security which comprises confidentiality,
integrity and availability but also on effectiveness
(result-orientation) and efficiency (optimum utilization
of resources)
 RESPONSIBILITY OF IS AUDITOR
The audit objective and scope has a significant
bearing on the skill and competence requirements of
an IS auditor. The set of skills that is generally
expected of an IS auditor include :
 Sound knowledge of business operations, practices and
compliance requirements,
 Should possess the requisite professional technical
qualification and certifications,
 A good understanding of information Risks and Controls,
 RESPONSIBILITY OF IS AUDITOR
 Knowledge of IT strategies, policy and procedure controls,
 Ability to understand technical and manual controls
relating to business continuity, and
 Good knowledge of Professional Standards and Best
practices of IT controls and security.
Therefore the audit process begins by defining the
scope and objectives to adapt the standards and
benchmarks for developing information model for
collecting and evaluating evidence to execute the
audit.
 FUNCTIONS OF IS AUDITOR
 IT Auditor often is the translator of business risk, as it relates
to the use of IT, to management, someone who can check the
technicalities well enough to understand the risk (not
necessarily manage the technology) and make a sound
assessment and present risk-oriented advice to management.
 IT
auditors review risks relating to IT systems and processes,
some of them are:
(i) Inadequate information security (e.g. missing or out of date
antivirus controls, open computer ports, open systems without
password or weak passwords etc.)
 FUNCTIONS OF IS AUDITOR
(ii) Inefficient use of corporate resources, or poor governance
(e.g. huge spending on unnecessary IT projects like printing
resources, storage devices, high power servers and
workstations etc.)
(iii) Ineffective IT strategies, policies and practices (including
a lack of policies for use of Information and Communication
Technology (ICT) resources, Internet usage policies, Security
practices etc.)
(iv) IT-related frauds (including phishing, hacking etc)
 CATEGORIES OF IS AUDITS
IT audits has been categorized in to five types:
(i) Systems and Applications : An audit to verify that systems
and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and
secure input, processing, and output at all levels of a system's
activity
(ii) Information Processing Facilities : An audit to verify that
the processing facility is controlled to ensure timely, accurate,
and efficient processing of applications under normal and
potentially disruptive conditions.
 CATEGORIES OF IS AUDITS
(iii) Systems Development : An audit to verify that the systems under
development meet the objectives of the organization and to ensure that
the systems are developed in accordance with generally accepted
standards for systems development.
(iv) Management of IT and Enterprise Architecture : An audit to verify
that IT management has developed an organizational structure and
procedures to ensure a controlled and efficient environment for
information processing.
(v) Telecommunications, Intranets, and Extranets : An audit to verify
that controls are in place on the client (computer receiving services),
server, and on the network connecting the clients and servers.
 STEPS IN INFORMATION TECHNOLOGY AUDIT
 Differentaudit organizations go about IT auditing in different ways
and individual auditors have their own favourite ways of working. It
can be categorized into six stages:

Steps in IS Audit process

 STEPS IN INFORMATION TECHNOLOGY AUDIT

(i) Scoping and pre-audit survey : the auditors determine the

main area/s of focus and any areas that are explicitly out-of-
scope, based normally on some form of risk-based
assessment. Information sources at this stage include
background reading and web browsing, previous audit
reports, pre audit interview, observations and, sometimes,
subjective impressions that simply deserve further
investigation.
(ii) Planning and preparation: during which the scope is broken
down into greater levels of detail, usually involving the
generation of an audit work plan or risk-control-matrix.
 STEPS IN INFORMATION TECHNOLOGY AUDIT

(iii) Fieldwork : gathering evidence by interviewing staff and

managers, reviewing documents, printouts and data, observing
processes etc.
(iv) Analysis : this step involves desperately sorting out,
reviewing and trying to make sense of all that evidence gathered
earlier. SWOT (Strengths, Weaknesses, Opportunities, Treats) or
PEST (Political, Economic, Social, Technological) techniques
can be used for analysis.
(v) Reporting : reporting to the management is done after
analysis of data gathered and analysis.
 STEPS IN INFORMATION TECHNOLOGY AUDIT

(vi) Closure : closure involves preparing notes for future audits

and following –up management to complete the actions they
promised after previous audits.
 Steps3 and 4 may on occasions involve the use of automated
data analysis tools such as ACL or IDEA, if not Excel, Access
and hand-crafted SQL queries.
 Automated system security analysis, configuration or
vulnerability management and security benchmarking tools are
also a boon for reviewing security parameters, and of course
basic security management functions that are built-in to
modern systems can help with log analysis, reviewing user
access rights
 Cost effectiveness of control procedures
 No internal control system can provide foolproof protection
against all internal control threats.
 The cost of a foolproof system would be prohibitive. In
addition, because many controls negatively affect operational
efficiency, too many controls slow the system and make it
inefficient.
 Therefore, the objective in designing an internal control system
is to provide reasonable assurance that control problems do not
take place. etc.
 Cost effectiveness of control procedures
 The benefit of an internal control procedure must exceed its
cost. Costs are easier to measure than benefits, however.
 The primary cost element is personnel, including the time to
perform control procedures, the costs of hiring additional
employees to achieve effective segregation of duties, and the
costs of programming controls into an information system.
 Internalcontrol benefits stem from reduced losses. One way to
calculate benefits involves expected loss, the mathematical
product of risk and exposure.
 Cost effectiveness of control procedures
 Thebenefit of a control procedure is the difference between
the expected loss with the control procedure(s) and the
expected loss without it.