2. IS Audit
The process of collecting and examining the management of controls over an organization's
information systems, processes, controls, and operations is known as an IS audit. The IS audit
process determines if the components of the information systems that secure assets and
ensure data integrity are operating successfully to fulfill the organization's overall goals and
objectives by analyzing evidence gathered through the IS audit process. The audit reviews can
be undertaken as part of a financial statement audit, internal audit, or other types of attestation
engagement.
IS Audit cover following categories.
- Systems & Applications: A focus on an organization's systems and applications.
- Information Processing Facilities: Ensuring that IT procedures run smoothly, on time,
and accurately, regardless of the circumstances.
- System Development: Determine whether or not the systems in development are
compliant with the organization's standards.
- IT and Enterprise Architecture management, as well as ensuring that IT management is
structured and activities are carried out in a regulated and effective manner.
The IS Audit involving auditing the management, operational and Technical Controls.
Importance of IS Audit an Organization
Since 2019, the government of many nations, including Nepal, has made it necessary for
certain types of firms to do an IS audit. When an institution conducts an IS audit, it can
examine its information system's gaps and weaknesses, identify potential sources of threats,
assess information misuse, and identify high-risk elements.
The primary goal of an IS audit is to assist the organization's information system managers in
effectively carrying out their jobs and responsibilities in order to achieve the organization's
objectives, as well as to improve correct decision-making and data and information security.
Tracing one's data might also aid in data recovery if an error has occurred.
Legalities in Nepal
The Nepal Rastra Bank's IT policy and IT Guidelines guide IS audit regulations (2012).
According to the guidelines, an organization must take the necessary steps to make its
employees, contractors, and consultants aware of the company's IS policy and to ensure that
3. they follow it, which can be accomplished through proper employment information, employee
agreements, policy awareness, and acknowledgment.
They must also undertake Risk Assessments on a regular basis, at least once a year, within an
agreement of technological operations that can have a significant influence on the
organization's business and reputation, and respond accordingly.
Major Focused Areas
Governance and Management of IT
IT governance is a formal framework that gives organizations a mechanism to ensure that their
IT investments support their business goals and the needs of their stakeholders. They
necessitate periodic evaluations to prevent obsolete information from exposing the firm to
uninvited risks or noncompliance. We look at whether IT Strategy, IT-Related Frameworks, IT
Standards, Policies and Procedures are being followed correctly or not by comparing them to
industry guidelines and best practices. These are critical because they direct the work force
and ensure proper resource utilization.
Information Systems Acquisition, Development and Implementation
It covers how IT auditors provide assurance that the practices for the acquisition, development, testing,
and implementation of IS meet the organization’s strategies and objectives. We examine the Business
Case and Feasibility Analysis and test the system development methodologies and ensure the Post-
implementation Review are also made as it ought to be.
Protection of information Assets
Understanding of the value of information asset is a key consideration for information systems
management. It includes the comprehensive list of Mobile, Wireless, and Internet-of-Things (IoT)
Devices - computer equipment, phones, network, email, data and any access-related items such
as cards, tokens and password etc. This area of focus aims to provide assurance that the
information assets’ confidentiality, integrity and availability are ensured by the enterprises’
security policies, standards, procedures and controls.
Information Systems Operations & Business Resilience
Business resilience planning is a governance and risk management responsibility that
organization must address to enable them to survive and thrive in an increasingly hostile
environment. It encompasses crisis management and business continuity plans to various types
of risk that an organization may face, from cyber threat to natural disaster, and much else
besides. As well as , business resilience relates the ways an organization addresses the
consequences of the incidents and the ability of an organization to adapt to the new environment
4. and circumstances following that incident. We examine organization’s Business Impact Analysis,
Business Continuity Plan, Disaster Recovery Plans, Data Backup, Storage, and Restoration and
System Resiliency and conclude if the organization has successfully been able to overcome the
incidents if any.
Audit Methodology
We follow ISACA guidelines for the audit along with the best industry practices and incorporate
various IT framework, Guidelines & Standards like COBIT 5, ISO 270001, NIST Framework,
NRB IT guidelines, NTA Cyber Byelaws, ITIL, PCI DSS etc. wherever necessary. We also have
partnered with foreign based leading cyber security companies to serve our valuable clients
wherein the expert resources are required.