Scribd
Upload
85 views

Chapter 3 Availabilty of Information System

The document discusses availability of information systems and business continuity plans. It explains operating system access controls, database management, application controls and how general audit software can be used to evaluate assertions and conduct substantive testing. Conversion audit is also explained.

Uploaded by

Steffany Roque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views

Chapter 3 Availabilty of Information System

The document discusses availability of information systems and business continuity plans. It explains operating system access controls, database management, application controls and how general audit software can be used to evaluate assertions and conduct substantive testing. Conversion audit is also explained.

Uploaded by

Steffany Roque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

AUDITING IN CIS ENVIRONMENT

CHAPTER 3
AVAILABILTY OF INFORMATION SYSTEM

Objective
1. Discuss about the Availability of Information System
2. Explain the Database Management
3. Explain the Conversion Audit

Availability of Information Systems

In this section we have discussed the availability of information systems.


Security serves three purposes - confidentiality, availability and integrity.
While access controls provide confidentiality and availability, business
continuity process and back-up procedures provide availability.

Availability risk is one of the major technology risks. With an increase in the
coupling of business processes with information systems, which are in turn
exposed to technology risks, there is a dire need to have a disaster recovery
plan in place. While insurance can provide compensation for the loss of
resources, a disaster recovery plan puts various IS resources in place, if such
disaster ever occurs. It is, therefore, a corrective control.

A business continuity plan begins with business impact analysis and involves
risk evolution and loss estimates for the outage. On the basis of outage costs,
disaster recovery resources are put in place. Owing to cost/benefit
consideration, disaster recovery resources cannot be put in place for all types
of disasters. These are put in place for the likely disasters and for critical
applications. The estimations made and priorities set for the disaster recovery
plans also give financial auditors an idea about the risks and importance of
application. This can also be a factor while planning for audit in a computerized
environment.
AUDITING IN CIS ENVIRONMENT

.Access Control

All information systems involve two basic software


called the operating system and the database. Both
have the ability to control access to the data and
applications. The operating system controls access at
the directory and file level, while the database controls
access at the record and field level. In this section we
discuss the capabilities of the operating systems to
implement security.

Application controls are implemented using the access


control facilities of operating systems and database
systems. Both provide an interface between the
application controls and general IS controls. To ensure
data integrity, it is necessary to control access to the
data, applications and other resources.

All users must get just-minimum- access which has two aspects to it:

 First only authorized users should have access.

 Second even authorized users should not have full access. The
access should be need based. For this, all operating systems have two
types of facilities, namely, authentication and authorization. Authentication
allows only the authorized users to access the systems. Authorization,
allows just-minimum-access to the files and directory. To manage both
these facilities in all operating systems there is a facility called systems
administration. The first thing the auditors should do, when they start
working under the new operating system is to get to know the authorization,
authentication and system administration functions relating to these
facilities. Fortunately, all operating systems have more or less the same
type of facilities, so the learning becomes quicker.

Database Management

Database provides two important features—data sharing and data


independence. Data sharing means that the users and applications share
data, and data independence means data is stored independent of
applications. These features make the information system
implementation easy and, at the same time, increase the security
concerns. Database offers facilities like data dictionary and a
database administrator to implement the database. A database
management system also provides facilities to address the
concerns raised by data sharing and data independence. Every
database provides facilities to implement sign-on procedures
(user identification and authentication) and authorization
AUDITING IN CIS ENVIRONMENT

mechanisms. To maintain data integrity, the just-minimum-access rule should


be followed. The database facilities are used to create the audit train and to
implement application controls. The data files need to be backed-up regularly.

The IT Act has prescribed that all record retention rules are also applicable to
electronic records. The Reserve Bank of India has also prescribed record
retention rules for the banks and the IFAC has issued standards for database
systems used in accounting information system. Oracle is the most-commonly
used RDBMS in India and world over, providing facilities to implement access
controls through sign-on procedures and authorization. Authorization is
implemented through object ownership, granting of privileges, and creation of
roles and assignment of roles to the users.

Application Controls and their Functioning

In this section, we have explained various types of application controls and


their functioning. Business faces two types of operational risks—business
risks and technology risks. Technology risks are controlled and mitigated
by general IS controls and business risks by application controls. However, it is
difficult to draw a dividing line between the two since application controls are
implemented on the facilities provided by general IS controls.

The primary purpose of application controls is data integrity. This is achieved


by ensuring integrity of input, processing and output. Application control
primarily deals with the audit objects. The objective of any audit is to verify the
assertion made in the financial statements. Assessing the applications controls
can assess all seven types of assertions, made in a financial statement.
COBIT has dealt with application controls at length in all the phases of
information systems management.

Application controls can be divided into:


Validation of input; Authorization of input; Completeness of input; Accuracy of
input Integrity of stored data; Integrity of standing data; Completeness and
accuracy of standing data; Completeness and accuracy of processing;
Restricted access to assets and data; Confidentiality and integrity of output.

Application controls being program procedures, there effectiveness can be


tested either by continuous audit or by a substantive audit using general audit
software. In the next section, we explain how general audit software can be
used for assessing application controls.

Evaluation of Business Risks

The job of a financial auditor is to evaluate business


risks. Business risks are controlled and managed by
implementing application controls. Therefore, the
primary duty of a financial auditor is to evaluate
application controls to reduce the control risk to the
minimum. Computers follow the
AUDITING IN CIS ENVIRONMENT

garbage-in-garbage-out principle. It is, therefore, better if application controls


are evaluated for compliance. Since application controls are program
procedures, if they comply with the internal control policies of the company
once, they shall continue to comply unless changed. However, as in the
manual environment, compliance testing is difficult, indirect and requires
higher cost, time and resources. Therefore, in most of the cases, substantive
testing is done. Compliance testing is done only for the crucial systems.

The aim of substantive testing, or, for that matter, all types of testing is to
evaluate the assertions made in the financial statement. That is, whether the
financial statement depicts the true and fair picture. Since the auditor cannot
do much to the inherent risks and control risks, he has to plan his audit to use
such tools and techniques, as to reduce the detection risks. Computer assisted
tools and techniques help here and more so general tool-set providing facilities
to conduct substantive testing.

ACL is the market leader in the arena of general audit software. The software
provides the facilities needed by an auditor to evaluate all the seven types of
assertions made in any financial statement. In addition, it also offers the facility
to create work papers crucial in any audit assignment, besides providing an
option to understand the data and files.

ACL Software offers tools to understand the quantitative features of the data
as well as the qualitative features of the data. Moreover, it provides facilities to
conduct substantive testing.

To enable both, the analytical procedures and substantive testing at the


transaction level, it has utility facilities like indexing, sorting, joining, setting
relation, creating output files, exporting files, extracting files, etc.

ACL has an excellent feature to create the command log. This keeps a check
on the auditor, improves the audit quality and also proves useful for work
papers. Each ACL document, by default, has a log file. In addition, it can also
be used for testing the controls implemented on the system like the security
facilities of an operating system and database. Therefore, it can also help in
systems audit.

Conversion Audit

This section explains conversion audit. Conversion to the


computerized environment is fast picking up in India. The
process has also been accelerated by the enactment of
the Information Technology Act, 2000 and the instructions
from Chief Vigilance Commissioner to the banking sector
to computerize 100% of their business. Data conversion is
a part of any software project. It requires a lot of technical
competence to be able to covert from one database to
another and from one application to another. Conversion
audit is conducted to check the accuracy of such
conversion.
AUDITING IN CIS ENVIRONMENT

To have an information about Audit of Computerized


Information System Kindly watch this video
https://youtu.be/GKXZTse8Mgo
For more information about Controlling and Auditing
DBMS kindly watch this video.
https://youtu.be/mNfh430hVQs
Additional information for COBIT and IS Control
https://youtu.be/afcjAPKh4zA

Reference:
Compilation of lecture
notes by Dean Bacay

You might also like