The Process of Auditing Information Systems
The use of computers and computer based information systems have pervaded deep and wide in every modern day organization. An organization must exercise control over these computer based information systems because the cost of errors and irregularities that may arise in these systems can be high and can even challenge the very existence of the organization. An organizations ability to survive can be severely undermined through corruption or destruction of its database; decision making errors caused by poor-quality information systems; losses incurred through computer abuses; loss of computer assets and their control on how the computers are used within the organization. Therefore managements across the world have deployed specialized auditors to audit their information systems to find out gaps between declared policies and actual use and shortcomings in the information system design and usage. 1.2 Definition Information Systems Auditing
Information Systems Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses the resources efficiently. The IS Auditor should see that not only adequate internal controls exist in the system but they also wok effectively to ensure results and achieve objectives. Internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. IT Auditors need to evaluate the adequacy of internal controls in computer systems to mitigate the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be unavailable An IS auditor is also responsible for assessing the strength and effectiveness of controls that are designed to protect information systems, and to ensure that audit engagements are planned, designed, and reviewed based on the assessed level of risk that irregular and illegal acts might occur. These acts could be material to the subject matter of the IS auditor’s report. The IS auditor is not qualified to determine whether an irregular, illegal, or erroneous act has occurred, but has the responsibility to report suspected acts to the appropriate parties. Determining whether information systems safeguard assets and maintaining data integrity are the primary objectives of an IS audit function. The IS auditor is ultimately responsible to senior management and to the audit committee of the board of directors. Before communicating the results to senior management, the IS auditor should discuss the findings with the management staff of the audited entity to gain agreement on the findings and to develop a course of corrective action. An internal audit department that organizationally reports exclusively to the chief financial officer (CFO) rather than to an audit committee is very likely to have its audit independence questioned.
1.3 Auditing Standards for Information Systems Auditing
The specialized nature of Information Systems auditing and the professional skills and credibility necessary to perform such audits, require standards that would apply specifically to IS auditing. Standards, procedures and guidelines have been issued by various institutions, which discuss the way the auditor should go about auditing Information Systems. In line with such developments Supreme Audit Institution of India for instance, has declared a mission to adopt and evolve standards, guidelines and best practices for auditing in a computerized environment. This will lend credibility and clarity in conducting audit in computerized environment. The framework for the IS Auditing Standards provides multiple levels of guidance. Standards provide a framework for all audits and auditors and define the mandatory requirements of the audit. They are broad statement of auditors’...
Please join StudyMode to read the full document