Scribd
Upload
24 views

Lecture 8 IT Auditing

Uploaded by

nyongesaisaiah337
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

Lecture 8 IT Auditing

Uploaded by

nyongesaisaiah337
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

MASENO UNIVERSITY

SCHOOL OF COMPUTING & INFORMATICS


DEPARTMENT OF INFORMATION TECHNOLOGY

Course Name Information Assurance & Security


Course Code UCI 403
Topic 8 Performing Information System Auditing

IS Audit Definitions

Information Systems audit is the process of collecting and evaluating evidence to


determine whether the information systems and related resources adequately safeguard
assets, maintain data and system integrity, provide relevant and reliable information,
achieve organizational goals effectively, consume resources efficiently, and have in effect
internal controls that provide reasonable assurance.
.
The objectives of Information Systems Audits

IS Audits are required to give reasonable assurance on the following regarding ICT
systems:
• That Information Technology and the controls supporting such technologies assist
the organization in achieving its business objectives (effectiveness) with less
wastage (efficiency)
• Confidentiality of information contained in the systems
• Availability of the information and the systems
• Reliability (consistency) of the systems
• Compliance with legal and regulatory requirements

The Need for I.S. Auditing (Why Auditing?)


• Increasing level of computerization of manual functions
• Rapid technological development
• Lack of user knowledge resulting in insecure practices
• Enhanced Roles of Computer networks

1
• Viruses, Worms, Hackers and other security threats
• Changing Regulatory environment

Other Types of Audits

You should understand the various types of audits that can be performed, internally or
externally, and the audit procedures associated with each:

• Financial audits —assess the correctness of an organization’s financial statements. A


financial audit will often involve detailed, substantive testing. This kind of audit relates to
information integrity and reliability.

• Operational audits —evaluate the internal control structure in a given process or area.
IS audits of application controls or logical security systems are examples of operational
audits.

• Integrated audits —An integrated audit combines financial and operational audit steps.
It is also performed to assess the overall objectives within an organization, related to
financial information and assets’ safeguarding, efficiency and compliance. An integrated
audit can be performed by external or internal auditors and would include compliance
tests of internal controls and substantive audit steps.

• Administrative audits —assess issues related to the efficiency of operational


productivity within an organization.

• Information systems audits —This process collects and evaluates evidence to


determine whether the information systems and related resources adequately safeguard
assets, maintain data and system integrity, provide relevant and reliable information,
achieve organizational goals effectively, consume resources efficiently, and have in effect
internal controls that provide reasonable assurance.

• Specialized audits —Within the category of IS audits, there are a number of specialized
reviews that examine areas such as services performed by third parties and forensic
auditing.

2
• Forensic audits —traditionally, forensic auditing has been defined as an audit
specialized in discovering, disclosing and following up on frauds and crimes.
In recent years, the forensic professional has been called upon to participate in
investigations related to corporate fraud and cybercrime.

STEPS IN INFORMATION SYSTEMS AUDITS

1. Approving the audit charter or engagement

Audit charter gives the authority to perform the audit and is issued by the executive
management of the organization. It outlines the responsibility, authority and
accountability of the auditor such as the agreed completion date and deliverables.

2. Preplanning the audit

Include gaining the knowledge of the business such as strategic plans, business
objectives and operational objectives of internal controls. It also include identification
of critical success factors of the audits and development of audit project plan.

3. Performing risk assessment


Risk assessment involves identification of the following:
i. Assets to be protected
ii. Exposures to those assets
iii. Threats to the assets
iv. Internal and external sources of the threats
v. Security issues that need to be addressed
The result of the risk assessment can be the following:

4. Accept the risk: Ignoring it or living with it

3
Mitigate (reduce) : Do something to lower the possibility of getting hurt. Internal
controls are designed to mitigate the risk
Transfer: Let someone else take the chance of loss e.g by using an insurance company
Avoid: Change the situation to avoid taking the risk

5. Determining whether audit is possible

This entails identifying the risk of the audit and whether it will be possible meaningful
evidence from the audit

6. Performing the actual audit

Assigning appropriate staff to perform a proper data collection and review existing
controls.

7. Gathering the evidence


Data collection can be done through observation, reviewing existing documentation,
interviewing of staff and workshops to awareness and understanding.

8. Performing audit tests


Perform either compliance testing or substantive testing.

Compliance testing tests for the presence or existence of something. It includes


verifying that policies and procedures have been put in place and that user access
rights, program control procedures and system logs have been activated. An example
of compliance test is comparing the list of persons with physical access to the data
centre to the HR list of current employees.

Substantive testing seeks to verify the content and integrity of evidence and the
effectiveness of the controls put in place. It includes verifying account balances,
performing physical inventory counts, and executing detailed scans to detect
effectiveness of specific system configuration. CAATs can be applied here.

4
9. Analyzing the results- Preparing summaries and ranking the findings according to
their seriousness

10. Reporting the results-


Involves preparing a presentation to report your findings. Reporting is used to convey to
management the findings. The details of the report include the following elements:
• Audit Scope
• Audit Objectives
• Methods and criteria used
• Nature of work performed
• Applicable dates of coverage
• Audit Findings Summary
• Recommendations

11. Conducting any follow-up activities


This involves identifying events that might have occurred after the completion of the
audit that might pose a risk to the audited area. It also entail following-up with
recommendations are being implemented.

INFORMATION SYSTEMS CONTROLS AUDITS

IS Control Audit involves two types of testing


• Compliance and
• Substantive testing.
Compliance Testing
Compliance testing determines if controls are being applied in the manner described in
the programme documentation or as described by the auditee. A compliance test
determines if controls are being applied in a manner that “complies with”
management policies and procedures.

Substantive testing
Substantive audit “substantiates” the adequacy of existing controls in protecting the
organisation from fraudulent activity and encompasses substantiating the reported
results of processing transactions or activities. Substantive testing of auditee’s data
can be done with the help of CAATs software.

5
QUESTIONS FOR FURTHER READING

a) Discuss the benefits and limitations of internal controls


b) Explain the importance of the Control Environment in ensuring the effectiveness
of internal controls
c) What do we mean by Technology Characterization
d) With examples explain administrative, physical, preventive, detective and
corrective internal controls
e) Discuss the fraud triangle as applied in computer data processing

You might also like