DON’T BE UPSET

AFTER FALURE
BECAUSE YOU
ARE BORN TO BE
PERFECT
THE CONCEPT

System Audit is essentially an audit of computer system. The basic objectives of such audit are
to safeguard the assets, maintain data integrity, maintain process integrity, and achieve the
goals of an organization effectively and efficiently.

Safeguarding the assets: The assets of an organization may be varied. These include hardware,
software, appliances, human ware (manpower). Even some items like physical manuals of
hardware and software systems are important assets of the organization although in normal
course these are not required very often. Similarly, documentation of various system files is
important assets of the organization. These assets are to be safeguarded from damages,
misutilization and other losses. The objective of the System Audit is to ensure that the
organization has taken adequate measures to protect the assets.
Maintaining data integrity: Integrity of data is required to be maintained at all levels – input,
output and maintenance of outputs. Integrity of data implies that data is complete, accurate,
without any distortion and appears and preserves in a manner as desired by the
organization. This is more important in present day scenario where database is shared
between various offices and people across geographies at various places – may be within the
same organization or from many organizations. However, any organization is to incur some
expenditure in order to achieve a level of data integrity.

Maintaining process integrity: In order to ensure data integrity, it is essential to ensure that
processing by any computer system is done in uniform manner and the processing is not
corrupted either by manual intervention or by virus or by any other means. This mainly
refers to the program part of software which processes the input and generates the outputs
in the desired manner. Any System Audit must focus on this aspect also to ensure that
programs are run in the manner they should run and yield the desired result.
Effectiveness auditing: Any System Audit must aim at auditing the effectiveness. An organization
must have some goals. Whether the computer system set up by the organization is achieving
those goals is the objective of effectiveness auditing. In order to evaluate the effectiveness, an
auditor must know the characteristics of the users as also the management system of the
organization. Effectiveness Auditing takes place after a system has been running for some time.
The feedback coming out of this audit helps the management to decide whether to scrap the
system, continue its operations or modify it in some way. Auditing can also be carried out during
the process of designing a system.

Efficiency auditing: The System Audit should also focus on efficiency of the system. In other
words, such audit should throw light on whether efficiency has been increased after adopting
the computer system in achieving the goals of the organization. This is also known as Efficiency
Audit. This reveals not only the quality of functioning of the system as a whole but also the
adequacy of the hardware, software etc. Again, such audit is an effective tool for the
management to take suitable decision regarding utilization of capacity of the system
qualitatively as well as quantitatively.
Scope of IS Audit

• Basic areas of an IT audit scope can be summarized as:

• Policies and standards of Organization,
• Organization and management of computer facilities,
• Physical environment in which computers operate,
• Contingency plan,
• Operation of system software,
• Applications system development process,
• Review of user applications and end-user access.
Importance of System Audit in Computerized Environment

Many organisations are spending large amounts of money on IT because they recognise the
tremendous benefits that IT can bring to their operations and services. However, they need to
ensure that their IT systems are reliable, secure and not vulnerable to computer attacks. It is
important for an organization for the following reasons.
• IS audit is important because it gives assurance that the IT systems are adequately protected,
provide reliable information to users and properly managed to achieve their intended benefits.
• Many users rely on IT without knowing how the computers work. A computer error could be
repeated indefinitely, causing more extensive damage than a human mistake.
• IS audit could also help to reduce risks of data tampering, data loss or leakage, service
disruption, and poor management of IT systems.
• It improves decision making process of management based on correct data sources since it
helps in maintaining data integrity.
• It reduces the probability of fraud and embezzlement which may cause havoc to any
organization, particularly in a computerized environment where there is no limit for such loss.

• It reduces the probability of computer error by detecting the same earlier which may be
highly costly.
• It ensures the optimum utilization of high value computer resources through Effective and
Efficient Audit.
• It ensures that security aspects in the computerized environment are strictly followed and
secrecy in respect of system relating to individual, company is maintained.
• It ensures that any evolutionary use of computer system does not adversely affect the
interest of the company.
SYSTEM AUDIT PROCEDURES
Apart from thorough audit of computer system, system audit also critically examines link
between computer system and its manual interface and analyse the strength and weaknesses
of such interface. Therefore, a system auditor must have an understanding of the business
activities undertaken in a computerized environment.

Different phases of IS audit are:

1. Establish the objectives and scope.
2. Develop a plan to achieve the objectives.
3. Gather information on the relevant IT controls and evaluate them.
4. Perform audit tests, using Computer-Assisted Audit Techniques (CAATs) such as Data
extraction and analysis software or test data, where appropriate.
5. Reports on the IS audit findings.
6. Follow up.
Audit Plan may be broadly divided into three parts.
– Audit Organization i.e., who will conduct the audit.
– Process of Planning i.e., how the audit will be conducted.
– Audit Reporting i.e., how and in what format the audit report will be presented.
Audit Organization determines whether the audit will be done by Internal
Auditors or by External Auditors. While Internal Auditors understand the system
and procedures as well the objectives of the organization better but they might
be influenced by the management. In such cases, internal auditors might not
reveal things which the management wants to hide.
For the purpose of System Audit, the Process of Planning may be divided into the following
steps.
(i) Review the latest Audit Report and take necessary steps,
(ii) Obtain a preliminary understanding of the system to be audited and document it properly,
(iii) Determine the most effective and efficient audit strategy,
(iv) Document the planned audit strategy.

Audit Reporting is the auditor’s formal written communication with the management detailing
their observations on various issues relating to the audit objectives with the purpose of
assisting the management to establish and maintain adequate system of internal control.
For evaluating a computerized system, auditors must collect evidences relating to performance
of the system. Various tools and techniques are available to assist the auditors to collect such
evidence. Some of the tools and techniques are mentioned below.

• Generalized Audit Software,

• Other Audit Software,
• Program Source Code Review,
• Test Data,
• Program Code Comparison,
• Concurrent Audit Techniques,
• Manual Techniques.
Generalized audit software: By using Generalized Audit Software, auditors can gain access to
the data maintained in computerized media. This enables the auditors to assess the quality
of records in the system. The functions available in Generalized Audit Software are –
File Access, File Reorganization, Selection, Arithmetic, Stratification and frequency analysis,
File creation and updating, Reporting etc.

By carefully combining these functional capabilities, the following audit tasks can be
accomplished.
– Evaluate the quality of data,
– Evaluate the quality of system processing,
– Examine the existence of entities which data purports to represent,
– Analytical Review.
Other audit software: Other Audit Software includes
– Industry Specific Audit Software,
– Spreadsheet Audit Software,
– High Level Languages,
– System Software,
– Specialized Audit Software,
– Decision Support System Software.
Computer Aided Audit Tools and Techniques (CAATTs): Refers to any computer
program utilized to improve the audit process. Generally, it refers to any data
extraction and analysis software, this include programs such as data analysis and
extraction tools, spreadsheets (e.g. Excel), databases (e.g. Access), statistical
analysis (e.g. SAS), general audit software (e.g. ACL, Arbutus, EAS), business
intelligence (e.g. Crystal Reports and Business Objects), etc.
Program source code review: While Generalized Audit Software are used to
examine the quality of data produced by a program, Program Source Code
Review is a direct way of examining program codes. The Program Source Code
Review identifies Erroneous code, unauthorized code, ineffective code, inefficient
code, and non-standard code. This helps the auditors to identify the low quality
of programs.

Test data: The Test Data approach indicates creation of dummy data to test
specific aspects of a program. The main objective of Test Data Technique is to
assess whether the program contains errors..

Program code comparison: With this technique, auditor can ascertain that
he/she audits the correct version of the software by comparing the program
codes of the audit version with the standard version of software.
Concurrent audit techniques: These are used when auditor needs to collect
evidences and evaluate them instantaneously. This is done to ensure the process
integrity. Techniques available for concurrent audit are –
Integrated Test Facility (ITF), Snapshots/Extended Records, System Control Audit
Review File (SCARF), Continuous and Intermittent Simulation (CIS). The
advantages of Concurrent Audit Techniques are:

– Quality of process can be determined

– Evidences collected are online and comprehensive.
Benefits of Audit Software
They are independent of the system being audited and will use a read-only copy of the file to
avoid any corruption of an organization’s data. Many audit-specific routines are used such as
sampling. Sampling provides documentation of each test performed in the software which can
be used as document in the auditor’s report.

Manual techniques: Apart from Computer Assisted Audit Techniques, evidences can also be
collected manually through Interviews, Questionnaires, and Control Flow Charts etc.

After collecting evidences, the same are to be evaluated to judge the functioning of the system
in respect of the four objectives of the System Audit as stated earlier. Evaluation of Asset
Safeguarding and Data Integrity Capability is done simultaneously as the same methodology is
followed for the same. This evaluation is focused on qualitative as well as quantitative aspects.
The Auditors also evaluate the effectiveness of the system by judging some parameters like
Improvement in Task Accomplishment, Improvement in quality of working, Organizational
Effectiveness,
SYSTEM AUDIT – SECURITY
All Commercial organizations are exposed to various risks irrespective of the system they might
use. Therefore, the organizations need to secure their systems from potential risks. But the
steps to be taken for security must be cost effective. The security of the system can be ensured
only through various controls and firm implementation of control measures. The System Audit
should ensure that the organization has taken appropriate measures to secure their systems
and also has adequate control measures to ensure security.
There are various types of controls in a computerized environment. They are as follows.

(i) Access Controls

(ii) Input controls
(iii) Communication Controls
(iv) Processing Controls
(v) Database Controls
(vi) Output Controls
(vii) Control of Last Resort
The security in a computerized environment may best be described as detailed .

(i) Environmental Controls: Clean and Uninterrupted Power: In order to ensure smooth
functioning of the system to avoid any data loss or corruption, an organization must ensure
smooth and uninterrupted supply of power. This is done by providing UPS System, Voltage
Stabilizer in bypass, alternative source of power and redundant infrastructure.

(ii) Fire Control: Fire Control means the measures taken to prevent hazards arising out of fire.
This also includes steps to spread awareness relating to control of fire. Display of ‘No
Smoking Board’in the System Room and other important places in the organization,
installation of Smoke Detectors, Fire Extinguishers, avoiding stacking of superfluous
hazardous materials in important places in the office, particularly in the System Room are
fire control mechanisms.
Clean and Dust Free Environment: The System Room must be clean and dust free. The
temperature and the humidity in the System Room must be controlled for better maintenance
of the system. This apart, a system of Water Damage Control and Pest Control should be in
place. Other aspects like Location of the System Room, Maintenance of System Room should
also be taken care of.

(ii) Access Controls: The security through Access Control comprises mainly of two parts –
Physical Security and Logical Security.

Physical Security: Physical Security means only authorized persons will be allowed to access the
system physically. This includes System Room Locking, Dead Man’s Door (Deadman doors uses a
pair of doors. For the second door to operate, the first entry door must close and lock with only
one person permitted in the holding area. This effectively reduces the risk of piggybacking.),
and Secured Lay out plan, and Control through System Room access Register, Control through
System Access Register, Locking arrangements etc. This apart, Burglar Alarm, CCTV may be used
for prevention or detection of unauthorized physical access.
Logical Security: Logical Security is more significant in a computerized environment. This means
a person may get physical access to the system, but he cannot do anything unless he passes
the Logical Security. Logical Security includes use of User-Id, Encrypted Passwords, ID Cards,
Biometrics Technology, Restrictions of Rights to different Users, Restrictions regarding allocation
of Supervisory Rights etc. In most of the systems, these security features are available at both
the levels – at OS (operating system) level and at the Application package level. The Auditor
should ensure that at both the levels such security features are implemented and maintained.
Password Expiry Date: Password expires automatically after a certain date so that the Users will
be compelled to change their passwords after the date of expiry of the password.

Grace Login: How many times the Users will be allowed to login after expiry of password.
Unique Password: Whether Users will be allowed to use the already used password. Minimum
Password Length: Users will be forced to use a password of minimum length of these many
digits.
Review and Removal of Dormant Users: The IDs of the Users who are transferred from the
office i.e., who are not required to use the system any longer should be deleted from the
system immediately.

Restriction to Concurrent Connections: The Users should not be allowed to connect to the
system concurrently i.e., login from more than one machine at a time.

Restriction to Operating System: Except System Administrators, normal Users should not be
given rights to access the Operating System. Also the OS should be hardened as per the policy
of the organization.

Logging of all Activities: All activities performed by all Users are logged so that controller will
have the knowledge about various activities performed and whether any user have done any
activity beyond their rights due to any mistake in allocating rights or otherwise.
Hours/Days Restriction for Users: Users may be restricted to the system on Sundays or
nonworking days. Similarly, working hours in the system for the Users can be restricted. All
these features ensure that the Users cannot miss utilize the system in the odd hours when
nobody is there in the office.

Terminal Restriction for Users: Users should be restricted to work only in one machine as in
most of the cases, since they work in a network environment, they can access to the system
from any of the machines. Thus, there is no need for the Users to work in more than one
machine. Specific terminal access may be restricted for each user. Security Codes for Menu
Access: In a menu driven package, some sensitive menus may be given security codes so that
only users required to use those menus can do so.
Input Controls: The purpose of Input controls and validations is to prevent
• Unintentional entry of wrong data,
• Intentional entry of fraudulent data,
• Preparation of false Input Forms,
• Alteration in Input Forms,
• Use of unauthorized Input Forms for data entry,
• Deliberate error during data entry.
In order to ensure that adequate controls are there at the point of input, various steps are
taken. These include Verification, Authorization, Clearance of Exception Conditions, On
Screen Transaction Checking, Checking of Reports etc. In addition to these, Input Forms must
bear Terminal Number Stamp, Initials of Data Entry Operators, and Signatures of Appropriate
Authorities etc. Input Forms – Financial as well as Non-Financial should be checked and
preserved properly.
Communication Controls: Computing has evolved from centralized mainframe-based to
distributed processing. With networking of computers, interception of messages has become a
major problem. In the mainframe environment, data security is controlled in the mainframe
environment, where it can be easily controlled by the operating system and operating system
security utilities in conjunction with the application. In distributed processing environment,
information can be manipulated and processed across multiple platforms. As a result, security
regarding communication through network relies heavily on Network Operating System (NOS)
and other PC-capable add-on security software packages.

Processing Controls: The purpose of Processing Controls is to ensure that the system processes
the data – financial as well as non-financial – correctly. This is ensured by maintaining the
integrity of the programs responsible for processing the data. Programs may not run properly
due to errors/ corruptions due to accident or by intentional damage. Sometimes due to
malfunctioning of hardware also program may not run properly.
Database Controls: The Database Controls ensure that the data in the database is not
corrupted by any means and the integrity of data in the database is maintained. To this end,
data in the database is copied to another database or to any other storage media like magnetic
tape. This method is known as Back-Up. This ensures that even if the database of the system is
corrupted by any chance, the same can be restored back to, with the help of the copied
database.

Output Controls: The objectives of Output Controls are to safeguard against

• Unauthorized alteration in the reports,
• Willful suppression of reports or its parts,
• Delivery of reports to unauthorized persons,
• Misplacement/exchange/deliberate destruction of reports,
• Careless handling of reports after expiry of retention period.
IS AUDIT CONTROLS & APPROACHES
Audit Trails as Control Tool Audit trail controls attempt to ensure that a chronological record
of all events that have occurred in a system is maintained. This record is needed to answer
queries, fulfill statutory requirements, deter irregularities, detect the consequences of error,
and allow system monitoring. Two types of audit trail must be maintained. The accounting
audit trail and operations audit trail. The accounting audit trail shows the source and nature
of data and processes that update the database.

The following sorts of data must be kept in the accounting audit trail:
1.Identity of the would be user of the system
2. Authentication information supplied
3. Action privileges requested
4. Terminal identifiers
5. Start and finish time
6. Number of login attempts
7. Resources provided/denied
8. Action privileges allowed/denied
Accounting Audit Trail The accounting audit trail must allow a message to be traced through
each node in the network. Some examples of data items that might be kept in the accounting
audit trail are:
1. Unique identifier of the source code
2. Unique identifier of the person/process authorizing dispatch of the message
3. Time and date at which message dispatched
4. Message sequence number
5. Unique identifier of each node in the network that the message traversed
6. Time and date at which each node in the network was traversed by the message.

Given that a message should not be changed as it traverses a node in the network, keeping all
the above information may seem pointless. Indeed, if a message traverses a public network or
interchange network, the owner of the network may not be willing to maintain or to supply
the audit trail information.
Operations Audit Trail The operations audit trail in the communication subsystem is especially
important, as the performance and, ultimately, the integrity of the network depend on the
availability of comprehensive operations audit trail data. Using this data, a network supervisor
can identify problem areas in the network and reconfigure the network accordingly. Some
examples of data items that might be kept in the operations audit trail are:

1.Number of messages that have traversed each link

2. Number of messages that have traversed each node
3. Queue lengths at each node
4. Number of errors occurring on each link or at each node
5. Number of retransmissions that have occurred across each link
6. Log of errors to identify locations and patterns of errors
7. Log of system restarts
8. Message transit times between nodes and at nodes
Computer Audit Approaches
There are three main approaches for computer auditing: Audit around the computer, Audit
through the computer and Audit with the computer.

Audit around the computer

In audit around the computer approach, without knowing the computer technology,
programming and other techniques used in electronic data processing previously, the auditor
develops the procedures to review input documents and output reports only. The auditor
selects source documents to be tested and compare the computer printouts (outputs) with
the source documents.

Advantages:
1.Logic is reasonable, simple to use and familiar to auditors.
2. Specialized training not needed.
3. Small and simplistic system can be easily audited by this approach..
Disadvantages:
1. Where input data goes through many changes, true comparisons are limited.
2. It is tedious and time consuming

(a)Audit with the computer

In this approach, an auditor has his own PC or Laptop which he can used as a terminal with
the main server and using the software on his machine can audit application running on the
server. This approach enables the auditor to do audit also from remote place. Thus, this
approach enables auditor to undertake remote on-line real time concurrent audit.
(b) Audit through the computer For the most part, the auditor now is involved in auditing
through the computer. The auditor can use the computer to test:
(i) the logic and controls existing within the system and
(ii) the records produced by the system.

There are several circumstances where auditing through the computer must be used:
(ii) The application system processes large volumes of input and produces large volumes of
output that make extensive direct examination of the validity of input and output
difficult.
(ii) Significant parts of the internal control system are embodied in the computer system.
(iii) The logic of the system is complex and there are large portions that facilitate use of the
system or efficient processing.
(iv) Because of cost benefit considerations, there are substantial gaps in the visible audit trail.
Competence of Computer Auditors
The recognition of the relevance of computer specialists for internal auditing is part of a
general process of recognition of the value of non-accounting specialists. This is associated
with a widening scope of internal audit to embrace efficiency auditing as well as compliance
auditing and to embrace the audit of non-accounting activities as well as the accounting
activities. In internal audit department, there should be a section on Computer Audit/EDP
audit. The computer auditors will provide technical advice to the other auditors. He may be
responsible for the selection of the appropriate computer audit package or packages for use
by the internal audit department. While he will subsequently be available to advise on the use
of these packages, all internal auditors should be competent to use them. them. He would also
be responsible for the development of other technical audit tools such as integrated audit
monitors, integrated test facilities etc. With the complexity of data processing, it is no longer
realistic to expect one person to have all the competence required to conduct all audits.
Auditing Software Development and Maintenance

Look at the system development/acquisition projects in your organization and others. Are any of
them slipping their schedules, overrunning their budgets, even compromising product quality?
What is lacking is our efforts towards the adoption and implementation of structured software
development practices. Although technology can help, such as with state of the art project
management and software development tools; it is the people and the well-defined and well-
documented internal processes that make all the difference.

(a)System Planning In this phase, the project’sscope, objectives, costs, benefits, technical and
economic feasibility are defined and determined. The internal computer auditor should be
involved in this phase so that they can anticipate future systems developments which is
required them to gain the necessary knowledge to deal with new technical concepts that are
planned.
(c) Detailed Technical Specifications & System Designing Within this phase, the system analyst
translates the user specifications into technical concepts at the level necessary to communicate
with programmers. This phase involves even closer coordination between the user and the EDP
department/CPPD. With appropriate technical knowledge and computer experience, the
computer auditor can review this phase to ascertain if a reasonable translation has been made
with adequate security & control features. Otherwise the major problems during/after
implementation can prove to be very costly.

(d) Programming This is the conversion of technical specifications defined (design made) by
the system analyst into computer operating instructions (source coding).

(e) User Procedures & Training This phase includes the preparation of procedures for the
conversion to, and the operation of, the new system. Computer auditors should check if the
user has adequate procedure manuals and related job descriptions which serve to increase
user awareness and control over the system.
(f)System Test The system test is an acceptance test conducted by the systems group and the
user. Computer auditor’s participation is very much essential. It is the last line of defense
before implementation. Tests performed should be recorded and test checks should be
retained (with their results) to indicate the adequacy and success of system testing. Users’ &
auditors’ approvals should be the last step in this phase.

(g) Implementation (i.e., Porting from existing to new System) This is the phase in which the
conversion of data, equipment and procedures takes place. It should occur in a carefully
planned and controlled environment. The computer auditor should be concerned about
integrity and consistency of the data and procedures (manual as well as computer procedures)
while doing the conversion. This gives rise to the concept of “Conversion Audit”.
(h) Post-implementation Review A review (on a continuous basis) should be made by the
computer auditor after the implementation to assure that all areas of the system are
operating as intended. In many banks & financial institutions, number of computer auditors
is quite inadequate to cope up with the task spelled out here. There is an urgent need to
develop this area.
Emerging Trends in IS Audit
Most IS audit teams are becoming acquainted with auditing technology that allows for remote
work and well-established corporate IT systems, and many are beginning to use Data Analytics
and Big Data to inform their audits. However, it is now critical to keep an eye on emerging
technologies such as RPA (Robotic Process Automation), AI (Artificial Intelligence), and
Blockchain, which are still relatively uncommon but are expected to grow rapidly. IS audit must
stay one step ahead of any risks or assurance gaps that may arise as a result of these risks.
Other examples include virtual reality, the internet of behaviours, the internet of things,
bioinformatics, and natural language processing, as well as quantum computing and 5G. RPA,
AI, and blockchain are the most widely used and well-established, so these are the ones that IS
auditors are looking into.
Common risks with RPA (Robotic Process Automation)
Risks associated with RPA, which is used to automate frequently repeated processes that are
critical for day-to-day business, include inappropriate process selection, incorrect configuration,
unexpected costs, security, inadequate performance, and change management. For example,
one application of RPA could be a chatbot designed to filter common customer questions.
Incorrect configuration may cause the bot to delay passing customers who require additional
assistance to a human contact, alienating customers. Similarly, an RPA system may incur
unexpected costs if, for example, a bot replaces call centre staff but then requires specialized
maintenance and more skilled and expensive people to manage it. Other IS audit
considerations include whether a bot handles sensitive data that is subject to privacy or other
regulations, and whether it regularly connects to organisations outside of the corporate firewall,
introducing new risks of breaches or misused data. The sheer volume of data passing through
an RPA system may necessitate new safeguards and checks. Management of an RPA system
may also pose a risk, if it is used to automate an area where frequent changes are
implemented. It may necessitate additional layers of processes each time this occurs, which
adds time and complexity.
Common risks with AI (Artificial Intelligence)
AI introduces a new set of risks. The more data the system uses from more sources, the more
entry points and connections are formed, and the greater the potential risks. There may also be
physical risks if a company uses AI in products like autonomous vehicles or to detect when heavy
machinery needs maintenance. There have also been reports of AI systems being primed with
data, which results in inherent bias. If a system is designed using data collected over a long
period of time and is configured to make decisions based on prior rationale, it is likely to make
similar decisions, which may reflect observed human biases from this time period. This
increases the likelihood that a company will not only shortlist the wrong candidates, but will
also suffer reputational damage and possibly legal costs. IS Audit should investigate how this is
monitored and whether bias is identified, managed, and timely corrected.
RBI GUIDELINES ON IS AUDIT

Roles & Responsibilities

1. Board of Directors and Senior Management: To meet the responsibility to provide an

independent audit function with sufficient resources to ensure adequate IT coverage, the
board of directors or its audit committee should provide an internal audit function which is
capable of evaluating IT controls adequately.

2. Audit Committee of the Board: The Audit Committee should devote appropriate and
sufficient time to IS audit findings identified during IS Audits and members of the Audit
Committee would need to review critical issues highlighted and provide appropriate guidance
to the bank’s management.

3. Internal Audit/Information System Audit function: Banks should have a separate IS Audit
function within the Internal Audit department led by an IS Audit Head, assuming responsibility
and accountability of the IS audit function, reporting to the Chief Audit Executive (CAE) or
Head of Internal Audit.
Critical Components and Processes

1. IS Audit: Because the IS Audit is an integral part of the Internal Auditors, auditors will also be
required to be independent, competent and exercise due professional care.

2. Outsourcing relating to IS Audit: Risk evaluation should be performed prior to entering into
an outsourcing agreement and reviewed periodically in light of known and expected changes,
as part of the strategic planning or review process.

3. Audit Charter, Audit Policy to include IS – Audit: An Audit Charter/Audit Policy is a

document which guides and directs the activities of the Internal Audit function. IS Audit, being
an integral part of the Internal Audit function, should also be governed by the same Audit
Charter/Audit Policy. The document should be approved by the Board of Directors. IS Audit
policy/charter should be subjected to an annual review to ensure its continued relevance and
effectiveness.
4. Planning an IS Audit: Banks need to carry out IS Audit planning using the Risk Based Audit
Approach. The approach involves as pects like IT risk assessment methodology, defining the IS
Audit Universe, scoping and planning the audit, execution and follow up activities.

5. Executing IS Audit: During audit, auditors should obtain evidences, perform test procedures,
appropriately document findings, and conclude a report. 6. Reporting and Follow up: This
phase involves reporting audit findings to the CAE and Audit Committee. Before reporting the
findings, it is imperative that IS Auditors prepare an audit summary memorandum providing
overview of the entire audit processing from planning to audit findings.