SYSTEM AUDIT

Introduction Information System Auditing, also referred to as automated data processing (ADP) auditing, electronic data processing (EDP) auditing and information technology (IT) auditing, is primarily an examination of the system controls within an IT architecture -- which is the process of evaluating the suitability and validity of an organization's IT configurations, practices and operations. Information System Auditing has been developed to allow an enterprise to achieve goals effectively and efficiently through assessing whether computer systems safeguard assets and maintain data integrity. Within a for-profit organization, the managers are typically concerned that the systems they use provide the most effective way to maximize return on stakeholder investments. Groups such as environmental groups, and civil rights groups are concerned with other aspects of how an enterprise runs their business.

Foundations of Information System Auditing

The advent of computing brought with it a whole new chapter in the audit process. Computers had affected the auditors ability to carry out part of what they had previously done. Things such as system privileges and how they affected what data a person has access to; the suitability of the audit trail provided by the application to provide the necessary evidence for ascertaining whether events have occurred and when are not always fully present in some systems. Information system auditing bases its framework on the knowledge of 4 other disciplines. They are information system management, computer science, behavioural science and traditional auditing.

Information Systems Management

In the early days of computing there was a litany of problems with cost overruns, overblown budgets and systems failing to meet even minimal specification in some cases. Many modern techniques, such as project management, work to reduce the incidence of this happening. Elements of IS Audit An information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified: Physical and environmental review This includes physical security, power supply, air conditioning, humidity control and other environmental factors.

System administration review This includes security review of the operating systems, database management systems, all system administration procedures and compliance. Application software review The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. Network security review Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. Business continuity review This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. Data integrity review The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).

Audit Risks
Auditors are concerned with four objectives: asset safeguards, data integrity system effectiveness, system efficiency. One of the key things of auditing is to identify whether errors and irregularities will cause material losses. Auditing might also assess whether the processes followed have contributed or are contributing to any ongoing losses. To assess these auditors need to collect evidence. Auditors might not detect real or potential losses due to the test nature of the audit. A basis for determining the desired level of risk the use of the following model is of some significance. DAR = IR X CR X DR , where DAR is the desired audit risk, IR is the inherent risk, CR is the control risk and DR is the detection risk. As a particular, DR is an allowance for the possibility of overlooking something when building the risk profile; for instance, a missed script or error in some code. The likelihood of these events occurring should add up to the DR for the audit area. The Audit Process The preparation before commencing an audit involves collecting background information and assessing the resources and skills required to perform the audit. This enables staff with the right kind of skills to be allotted to the right assignment. It always is a good practice to have a formal audit commencement meeting with the senior management responsible for the area under audit to finalize the scope, understand the special concerns, if any, schedule the dates and explain the methodology for the audit. Such meetings

get senior management involved, allow people to meet each other, clarify issues and underlying business concerns, and help the audit to be conducted smoothly. Similarly, after the audit scrutiny is completed, it is better to communicate the audit findings and suggestions for corrective action to senior management in a formal meeting using a presentation. This will ensure better understanding and increase buy-in of audit recommendations. Security Auditing information security is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company. Several training and certification organizations have evolved. Currently, the major certifying bodies, in the field, are the Institute of Internal Auditors (IIA), the SANS Institute (specifically, the audit specific branch of SANS and GIAC) and ISACA. While CPAs and other traditional auditors can be engaged for IT Audits, organizations are well advised to require that individuals with some type of IT specific audit certification are employed when validating the controls surrounding IT systems. Audit Personnel Qualifications The CISM and CAP credentials are the two newest security auditing credentials, offered by the ISACA and ISCA, respectively. Strictly speaking, only the CISA or GSNA title would sufficiently demonstrate competences regarding both information technology and audit aspects with the CISA being more audit focused and the GSNA being more information technology focused. Key Challenge IS audit often involves finding and recording observations that are highly technical. Such technical depth is required to perform effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a main challenge of IS audit.

QUESTIONS RELATED TO THE TOPIC 1. 2. 3. 4. What do IT auditors audit against? What are the types of IT auditing? What qualification is required for a System auditor? What is the importance of IS Audit in the current economic scenario?

Source Compiled by:

www.isaca.org Tittu Stanley tittustanley@gmail.com Mob:9809903371