Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IS Audits and Internal Controls

1,118 views

Published on

Systems Audit is another area of Assurance for an Assurance professional. Auditing a Computer Environment is just as important as auditing the books of accounts.

Hence it is important for a Chartered Accountant to provide sufficient assurance to the stakeholders having interest, that the internal controls deployed in the IT Environment as well as in the Non IT Environment operate effectively.

This article gives an approach for conducting an IS Audit.

Published in: Business
  • Be the first to comment

  • Be the first to like this

IS Audits and Internal Controls

  1. 1. IS Audit and Internal Controls Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises.Internal Controlscanbe comparedto the chassisof avehicle - withoutthe chassis,the engine isrendered useless.Internal Controlsare mostneededinacorporate environmenttopreventfraudincidence andtomanage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along withhelpof technology,they have succeededinincreasingtheirsize of services,producesandpresence. Enterprises are nowhavingtheirlocationsall overthe world. Thusthe needof havingcorrectInternal Controlsismore thanever. A CA provided the following services until the effect of technology struck business.As a professional, he used to provide servicessuchasAudit,Tax,CompanyMatters,Legal Compliances,andAccountingetc.SpecificallyasanAudit Professional, he usedto render services of conducting audit engagements such as Statutory Audit, Tax Audits (both DirectandIndirectTaxes),SpecialAudits(asprescribedundervarious Acts),BankAudits,andInternal Auditsetc.There is a paradigm shift in the expectations from Chartered Accountants in the new scenario. A CA as an audit professional can provide more services that relate to technologysuch as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc. A CA is expectedtoknowand review implementationof new regulationsandstandards like The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement,Privacy Acts of variousCountries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls. One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is relatedtoInternal Audit.Internal Controlsthatare presentintheenterpriseare completelyrelevant whileconducting an IS Audit. These are some keywords that would be repeating in this study and is important to understand them. 1. Control:It literallymeansInternal Controlsthatispresentina businessenvironment.Itcan be IT Controlsor non IT Controls. 2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening. 3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process. Internal Control simply means “Policies framedby the management in order to have stronger and adequate control of affairswithinthe enterprise,andwhichcanbe checkedbythe Internal orStatutoryAuditorinorderto ensure that the goalsandobjectivesof the enterpriseare dulymet”. Theyare practicesandprocessesenforcedonthe employees of an enterprise to prevent fraud and to maintain integrity of the data. Internal Controlsissaidtobe asumof General ControlsandISControls.IScontrolsissaidtobe asumof IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software. IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software couldbe aretail bankingsystem, anInventorysystemorpossibly anintegratedERP.Controlswhichrelateto businessapplicationsleading tojudicial use of the applicationand enforcedthroughthe applicationitself tothe end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories: 1. InputControls:Controlsthatare enforcedduringthe inputof databya user.E.g.Data Checksandvalidations.
  2. 2. 2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g. duplicate checks, File Identifications and Validations etc. 3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update Authorizations etc. 4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data Encryption,InputValidationsetc.These controlscan be enforcedduringinputandprocessingand storage of data. 5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g. Time stamps and snapshots of application. IT General Controls: They may also be referred as General Computer controls. These are controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed,maintainedandoperatedandare thereforeapplicabletoall applicationsTheseare policiesandprocedures that relate tomanyapplicationsandsupportthe effectivefunctioningof applicationcontrolsbyhelpingtoensure the continued proper operation of information systems. IT General Controls can be broadly classified into the following areas: 1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc. 2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data centeristreatedas an extremelysensitive areaandthusa higherriskwouldbe present.E.g.BiometricLocks, Presence of ServerRacks, Presence of AirConditioners,Fire Extinguishers,WeatherControls,LogRegisterof people etc. 3. IS Security:These controlsare enforcedateverylevelof ITInfrastructure.The objectivesof thesecontrolsare protectionof InformationAssets. The CIA triadisenforcedi.e.Confidentiality,IntegrityandAvailabilityof Data andinformationsecurityismaintained.E.g.Firewall,Antivirus,Anti Spyware,Timely updatingof software and antivirus updates and patches etc. 4. SystemDevelopmentLifeCycle andChangeManagementControls:Thesecontrolsare enforcedtoensure that the correct process of software development/procurement and release management is followed. E.g. Documented Process for procuringsoftware, Documented Processof incorporating changes to the acquired software etc. 5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc. 6. Backupand Recovery:These controlsare presentto ensure properbackupandrecoveryprocessesof the data of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc. 7. End usercomputing:These controlsare enforceddirectlyonthe employees.Thesecontrolsare enforcedwith an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and Review, Disabling of USB Ports etc. An ISAuditisperformedtoprovide assurance thatall of the above mentionedcontrolsare adequateandsatisfactory to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically dividedintotwosectionsi.e.Review of ITApplicationControls(ITAC) andReview of ITGeneral Controls(ITGC).AnIS Audit would have the following process:-  An IS Auditor would begin his audit engagement by having conversation withthe IT Administrator/CIO of an enterprise. The IS auditor would review all the documented policies and processes that are being enforced withinthe organization.Documentedpolicieswouldinclude aISSecurityPolicy,BringYourOwnDevice Policy (BYOD),PasswordPolicy,BCPetc.The ISAuditorwouldbe gaininganunderstandingof the overall level of the Internal Controls.  An IS Auditor would then gain an understanding of the applications that have been implemented in the IT Infrastructure. It would be a base for him to decide the plan of action of the Audit.  The next step would be to collect a list of all the types of logs that can be generated by the applications.
  3. 3.  Aftercollectingthe above information,the auditorthe auditor identifiesthe risksthat are applicable forthe enterprise. The approachthatwouldbe followed istocreate a matrix foreach applicationandarea (forITAC andITGC respectively) andwouldidentifythecontrolsthatare enforcedinthe enterprise.All the identification and Review of controls would be performed by sampling, observations or any other method.  Testing of Design Effectivenessand testing of operating effectiveness would be performed by the IS Auditor on every identifiedcontrol. Testing of Design Effectiveness refersto the working design of the control as documented.Itis a blue printof the control.Testingof OperatingEffectivenessreferstoactual performance of the Control in the IT Environment.  It isimportantforthe ISAuditorto collectsufficientevidencewhile identifyingthe controls.Evidencescanbe in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.  A Risk Rating exercise is then performed to the identified controls to see whether the identified control is sufficient to mitigate the identified risk.  Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggestedand accordingly an IS Audit report would be drafted and shared to the enterprise. Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and observations,anIS Auditorwouldbe able to provide sufficientassurance whetherthe incorporatedcontrolsare adequate or not to the nature and size of the IT Infrastructure of the enterprise.

×