- The document discusses the importance of internal controls and information systems auditing for organizations. It aims to understand control objectives, how to implement and monitor internal control systems, and the information systems audit process.
- It explains that information technology impacts all aspects of business and organizations need appropriate information systems controls to ensure data integrity, reliability, and timely information flow. Information systems auditing evaluates controls to ensure operational effectiveness and reliability.
- Several factors influence the need for information systems controls and auditing, including organizational costs of data loss, risks of incorrect decision making, costs of computer abuse/errors, and the need to safeguard assets and maintain privacy and data integrity.
Top 10 and Insight into IT Strategic challenges Presented at the IT Strategy Forum organized by IIRME in Dubai, UAE, presented by Jorge Sebastiao for eSgulf
Top 10 and Insight into IT Strategic challenges Presented at the IT Strategy Forum organized by IIRME in Dubai, UAE, presented by Jorge Sebastiao for eSgulf
Securing Business: Strategic Enablement of UsersJon Gatrell
Sending big files is not as easy as it sounds and it definitely is appropriate to use email or ftp. Communicate securely and enable users to do business through a strategy, not technology.
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
The financial world has gotten more sophisticated. People need to make informed financial decisions, so
they seek out efficient tools to help them manage their finances. Traditionally, money management software
has been available for individuals to use in their homes on their personal computers. These tools were a
local install, often expensive, and required a learning curve to use them effectively. With a paradigm shift
to cloud computing and storage, users are looking for inexpensive alternatives that are accessible at home
or on their mobile devices. As a result, third-party companies have been forming over the last few years to
meet this need. However, to access the functionality of these online resources, users are required to divulge
their personal financial account login credentials. While third-party companies claim that subscribers’
private information is safely stored on their servers, one cannot ignore the fact that hackers may be able to
break into their system to steal users’ information. Once hackers manage to compromise users’ login
credentials, they have complete control over their accounts. Therefore, there is a need to have a holistic
approach that incorporates security elements to protect users’ accounts from hackers.
We present a novel, holistic model with a new handshake protocol and online account access control,
which authenticate account access and form a sandbox around third-party access to users’ accounts. When
utilizing these novel techniques, users’ login credentials can remain private, providing safeguards against
unauthorized transactions on their accounts.
VTU - MIS Module 8 - Security and Ethical ChallengesPriya Diana Mercy
Ethical responsibilities of Business Professionals
Business, technology, Computer crime
Hacking, cyber theft, unauthorized use at work. Piracy
Software and intellectual property.
Privacy – Issues and the Internet
Privacy Challenges
Working condition, individuals. Health and Social Issues
Ergonomics
Cyber terrorism
ANALYSIS THE ATTACK AND E-COMMERCE SECURITY
It is Secondary Base Term Paper . Do not copy it but you can use it for gathering information and it is well structure term paper as well as.
data protection and security means to protect your data from unauthorized user access. we should apply some privacy measures to protect our data from unauthorized access. security measures taken to protect the integrity of the data
How technology is impacting the logistics industryNatalie Jones
Technology evolution is pushing the boundaries and changing the way business is done around the world. Advanced technology in the supply chain has improved productivity, minimizing expenses and failures.
http://assignment-partner.com/ .That's a sample paper - essay / paper on the topic "Information system infrastructure" created by our writers!
Disclaimer: The paper above have been completed for actual clients. We have acclaimed personal permission from the customers to post it.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Securing Business: Strategic Enablement of UsersJon Gatrell
Sending big files is not as easy as it sounds and it definitely is appropriate to use email or ftp. Communicate securely and enable users to do business through a strategy, not technology.
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
The financial world has gotten more sophisticated. People need to make informed financial decisions, so
they seek out efficient tools to help them manage their finances. Traditionally, money management software
has been available for individuals to use in their homes on their personal computers. These tools were a
local install, often expensive, and required a learning curve to use them effectively. With a paradigm shift
to cloud computing and storage, users are looking for inexpensive alternatives that are accessible at home
or on their mobile devices. As a result, third-party companies have been forming over the last few years to
meet this need. However, to access the functionality of these online resources, users are required to divulge
their personal financial account login credentials. While third-party companies claim that subscribers’
private information is safely stored on their servers, one cannot ignore the fact that hackers may be able to
break into their system to steal users’ information. Once hackers manage to compromise users’ login
credentials, they have complete control over their accounts. Therefore, there is a need to have a holistic
approach that incorporates security elements to protect users’ accounts from hackers.
We present a novel, holistic model with a new handshake protocol and online account access control,
which authenticate account access and form a sandbox around third-party access to users’ accounts. When
utilizing these novel techniques, users’ login credentials can remain private, providing safeguards against
unauthorized transactions on their accounts.
VTU - MIS Module 8 - Security and Ethical ChallengesPriya Diana Mercy
Ethical responsibilities of Business Professionals
Business, technology, Computer crime
Hacking, cyber theft, unauthorized use at work. Piracy
Software and intellectual property.
Privacy – Issues and the Internet
Privacy Challenges
Working condition, individuals. Health and Social Issues
Ergonomics
Cyber terrorism
ANALYSIS THE ATTACK AND E-COMMERCE SECURITY
It is Secondary Base Term Paper . Do not copy it but you can use it for gathering information and it is well structure term paper as well as.
data protection and security means to protect your data from unauthorized user access. we should apply some privacy measures to protect our data from unauthorized access. security measures taken to protect the integrity of the data
How technology is impacting the logistics industryNatalie Jones
Technology evolution is pushing the boundaries and changing the way business is done around the world. Advanced technology in the supply chain has improved productivity, minimizing expenses and failures.
http://assignment-partner.com/ .That's a sample paper - essay / paper on the topic "Information system infrastructure" created by our writers!
Disclaimer: The paper above have been completed for actual clients. We have acclaimed personal permission from the customers to post it.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
Running head: AUDITING INFORMATION SYSTEMS PROCESS
1
AUDITING INFORMATION SYSTEMS PROCESS 2
Auditing information systems process
Student’s Name
University Affiliation
Process of Auditing information systems
Information system is the livelihood of every huge company. As it has been in the past years, computer systems don’t simply document transactions of business, rather essentially compel the main business procedures of the venture. In this kind of a situation, superior administration and company managers usually have worries concerning an information system. assessment is a methodical process in which a proficient, autonomous person impartially gets and assesses proof concerning affirmations about a financial unit or occasion with the intent to outline an outlook about and giving feedback on the extent in which the contention matches an acknowledged standards set. information systems auditing refers to the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009).
Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, purpose for, in addition to designation of power to audit of Information System . The audit contract should also summarize the general right, responsibilities and scope of the purpose of audit. The uppermost level of management should endorse the contract and on one occasion it is set up, this contract is supposed to be distorted merely if the amendment is and might be meticulously defensible.
The process of auditing information systems involves;-
Audit Function Management; this process includes assessment which is systematic of policies and methods of management of the organization in managemen ...
Visit www.lifein01.com for presentations of all chapters.
Auditing is the process of assessment of financial, operational, strategic goals and processes in organizations to determine whether they are in compliance with the stated principles, regulatory norms, rules, and regulations.
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
· Processed on 09-Dec-2014 9:01 PM CST
· ID: 488406360
· Word Count: 1969
Similarity Index
47%
Similarity by Source
Internet Sources:
46%
Publications:
2%
Student Papers:
N/A
sources:
1
30% match (Internet from 27-Mar-2009)
http://www.isaca.org/Content/ContentGroups/Journal1/20023/The_IS_Audit_Process.htm
2
13% match (Internet from 29-Mar-2011)
http://www.scribd.com/doc/36655995/Chapter-1-the-Information-System-Audit-Process
3
2% match (publications)
Athula Ginige. "Web site auditing", Proceedings of the 14th international conference on Software engineering and knowledge engineering - SEKE 02 SEKE 02, 2002
4
1% match (Internet from 26-Feb-2012)
http://www.dc.fi.udc.es/~parapar/files/ai/The_IS_Audit_Process_isaca_sayana.pdf
5
1% match (Internet from 01-Apr-2009)
http://www.idkk.gov.tr/web/guest/it_audit_manual_isaca
paper text:
Running head: AUDITING INFORMATION SYSTEMS PROCESS Auditing information systems process Student’s Name University Affiliation Auditing information systems 2process Information systems are the livelihood of any huge business. As in past years, computer systems do not simply record transactions of business, but essentially drive the main business procedures of the enterprise. In such a situation, superior management and business managers do have worries concerning information systems. Auditing is a methodical process by which a proficient, independent person impartially obtains and assesses evidence concerning assertions about a financial entity or occasion for the reason of outlining an outlook about and reporting on the extent to which the contention matches to an acknowledged set of standards. Auditing of information systems is the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009). Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, 2objectives for, and designation of authority to Information .
Information systems and its components iiAshish Desai
This study note helps to identify the concept of Control, Policies, Procedure and Practise apply inside the InformationSystem. Also, explain the types of control with the detailed description.
This is specially design for the students of IPCC Group 2 (ICAI)
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...pchutichetpong
M Capital Group (“MCG”) expects to see demand and the changing evolution of supply, facilitated through institutional investment rotation out of offices and into work from home (“WFH”), while the ever-expanding need for data storage as global internet usage expands, with experts predicting 5.3 billion users by 2023. These market factors will be underpinned by technological changes, such as progressing cloud services and edge sites, allowing the industry to see strong expected annual growth of 13% over the next 4 years.
Whilst competitive headwinds remain, represented through the recent second bankruptcy filing of Sungard, which blames “COVID-19 and other macroeconomic trends including delayed customer spending decisions, insourcing and reductions in IT spending, energy inflation and reduction in demand for certain services”, the industry has seen key adjustments, where MCG believes that engineering cost management and technological innovation will be paramount to success.
MCG reports that the more favorable market conditions expected over the next few years, helped by the winding down of pandemic restrictions and a hybrid working environment will be driving market momentum forward. The continuous injection of capital by alternative investment firms, as well as the growing infrastructural investment from cloud service providers and social media companies, whose revenues are expected to grow over 3.6x larger by value in 2026, will likely help propel center provision and innovation. These factors paint a promising picture for the industry players that offset rising input costs and adapt to new technologies.
According to M Capital Group: “Specifically, the long-term cost-saving opportunities available from the rise of remote managing will likely aid value growth for the industry. Through margin optimization and further availability of capital for reinvestment, strong players will maintain their competitive foothold, while weaker players exit the market to balance supply and demand.”
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
1. LEARNING OBJECTIVES :
-To understand the importance of internal controls and control objectives,
-How to set and monitor Internal Control systems,
-Categories of Control Techniques: System development, System implementation,
Change management, Data integrity, Privacy and Security, and
A-n overview of the entire IS Audit process.
3.1 INFORMATION SYSTEMS CONTROLS
The increasing use of information technology in a large number of organizations has made it
imperative that appropriate information systems are implemented in an organization.
Information technology covers all key aspects of business processes of an enterprise and has
an impact on its strategic and competitive advantage for its success. The enterprise strategy
outlines the approach it wishes to formulate with relevant policies and procedures on
harnessing the resources to achieve business objectives.
Control is defined as: Policies, procedures, practices and enterprise structure that are
designed to provide reasonable assurance that business objectives will be achieved and
undesired events are prevented or detected and corrected.
Thus an information systems auditing includes reviewing the implemented system or providing
consultation and evaluating the reliability of operational effectiveness of controls.
3.2 NEED FOR CONTROL AND AUDIT OF INFORMATION SYSTEMS
Technology has impacted what can be done in business in terms information and as a
business enabler. It has increased the ability to capture, store, analyze and process
tremendous amounts of data and information by empowering the business decision maker.
With the advent of affordable hardware, technology has become a critical component of
business. Today’s dynamic global enterprises need information integrity, reliability and validity
for timely flow of accurate information throughout the organization. Safeguarding assets to
maintain data integrity to achieve system effectiveness and efficiency is a significant control
process.
Factors influencing an organization toward control and audit of computers and the impact of
the information systems audit function on organizations are depicted in the Fig. 3.1.
2. Organisational Costs of Data Loss : Data is a critical resource of an organisation for its
present and future process and its ability to adapt and survive in a changing
environment.
(ii) Incorrect Decision Making : Management and operational controls taken by managers
involve detection, investigations and correction of out-of-control processes. These high
level decisions require accurate data to make quality decision rules.
(iii) Costs of Computer Abuse : Unauthorised access to computer systems, computer viruses,
unauthorised physical access to computer facilities and unauthorised copies of sensitive
data can lead to destruction of assets (hardware, software, documentation etc.)
(iv) Value of Computer Hardware, Software and Personnel : These are critical resources of
an organisation which has a credible impact on its infrastructure and business
competitiveness.
(v) High Costs of Computer Error : In a computerised enterprise environment where many
critical business processes are performed a data error during entry or process would
cause great damage.
3. (vi) Maintenance of Privacy : Today data collected in a business process contains details
about an individual on medical, educational, employment, residence etc. These data were also collected
before computers but now there is a fear that privacy has eroded
beyond acceptable levels.
(vii) Controlled evolution of computer Use : Technology use and reliability of complex
computer systems cannot be guaranteed and the consequences of using unreliable
systems can be destructive.
(viii) Information Systems Auditing : is the process of attesting objectives (those of the
external auditor) that focus on asset safeguarding and data integrity, and management
objectives (those of the internal auditor) that include not only attest objectives but also
effectiveness and efficiency objectives.
(ix) Asset Safeguarding Objectives : The information system assets (hardware, software,
data files etc.) must be protected by a system of internal controls from unauthorised
access.
(x) Data Integrity Objectives : is a fundamental attribute of IS Auditing. The importance to
maintain integrity of data of an organisation depends on the value of information, the
extent of access to the information and the value of data to the business from the
perspective of the decision maker, competition and the market environment.
(xi) System Effectiveness Objectives : Effectiveness of a system is evaluated by auditing the
characteristics and objective of the system to meet substantial user requirements.
(xii) System Efficiency Objectives : To optimize the use of various information system
resources (machine time, peripherals, system software and labour) along with the impact
on its computing environment.
3.3 EFFECT OF COMPUTERS ON INTERNAL CONTROLS
The internal controls within an enterprise in a computerised environment the major areas of
impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness
are discussed below.
(i) Personnel : Whether or not staffs are trustworthy, if they know what they are doing and, if
they have the appropriate skills and training to carry out their jobs to a competent
standard.
(ii) Segregation of duties : a key control in an information system. Segregation basically
means that the stages in the processing of a transaction are split between different
people, such that one person cannot process a transaction through from start to finish.
4. The various stages in the transaction cycle are spread between two or more individuals.
However, in a computerised system, the auditor should also be concerned with the
segregation of duties within the IT department.
Within an IT environment, the staff in the computer department of an enterprise will have
a detailed knowledge of the interrelationship between the source of data, how it is
processed and distribution and use of output. IT staff may also be in a position to alter
transaction data or even the financial applications which process the transactions. This gives them the
knowledge and means to alter data, all they would then require is a
motive.
(iii) Authorisation procedures : to ensure that transactions are approved. In some on-line
transaction systems written evidence of individual data entry authorisation, e.g. a
supervisor’s signature, may be replaced by computerised authorisation controls such as
automated controls written into the computer programs (e.g. programmed credit limit
approvals)
(iv) Record keeping : the controls over the protection and storage of documents, transaction
details, and audit trails etc.
(v) Access to assets and records : In the past manual systems could be protected from
unauthorised access through the use of locked doors and filing cabinets. Computerised
financial systems have not changed the need to protect the data. A client’s financial data
and computer programs are vulnerable to unauthorised amendment at the computer or
from remote locations. The use of wide area networks, including the Internet, has
increased the risk of unauthorised access. The nature and types of control available have
changed to address these new risks.
(vi) Management supervision and review : Management’s supervision and review helps to
deter and detect both errors and fraud.
(vii) Concentration of programs and data : Transaction and master file data (e.g. pay rates,
approved suppliers lists etc.) may be stored in a computer readable form on one
computer installation or on a number of distributed installations. Computer programs
such as file editors are likely to be stored in the same location as the data. Therefore, in
the absence of appropriate controls over these programs and utilities, there is an
increased risk of unauthorised access to, and alteration of financial data.
The computer department may store all financial records centrally. For example, a large
multinational company with offices in many locations may store all its computer data in just
one centralised computer centre. In the past, the financial information would have been spread
throughout a client’s organisation in many filing cabinets.
If a poorly controlled computer system was compared to a poorly controlled manual system, it
would be akin to placing an organisation’s financial records on a table in the street and placing
5. a pen and a bottle of correction fluid nearby. Without adequate controls anyone could look at
the records and make amendments, some of which could remain undetected.
Internal controls used within an organisation comprise of the following five interrelated
components:
Control environment : Elements that establish the control context in which specific accounting
systems and control procedures must operate. The control environment is manifested in
management’s operating style, the ways authority and responsibility are assigned, the
functional method of the audit committee, the methods used to plan and monitor performance
and so on.
RESPONSIBILITY FOR CONTROLS
Management is responsible for establishing and maintaining control to achieve the objectives
of effective and efficient operations, and reliable information systems. Management should
consistently apply the internal control standards to meet each of the internal control objectives and to
assess internal control effectiveness. The number of management levels depends on
the company size and organisation structure, but generally there are three such levels senior,
middle and supervisory. Senior management is responsible for strategic planning and
objectives thus setting the course in the lines of business that the company will pursue, Middle
management develops the tactical plans, activities and functions that accomplish the strategic
objectives, supervisory management oversees and controls the daily activities and functions of
the tactical plan
Management is responsible for establishing and maintaining control to achieve the objectives
of effective and efficient operations, and reliable information systems. Management should
consistently apply the internal control standards to meet each of the internal control objectives and to
assess internal control effectiveness. The number of management levels depends on
the company size and organisation structure, but generally there are three such levels senior,
middle and supervisory. Senior management is responsible for strategic planning and
objectives thus setting the course in the lines of business that the company will pursue, Middle
management develops the tactical plans, activities and functions that accomplish the strategic
objectives, supervisory management oversees and controls the daily activities and functions of
the tactical plan
6. Long-range planning: includes documenting goals and objectives, explaining how
strengths will be used and how weakness will be compensated for or corrected. The elements of long-
range planning incorporate:
The goals and objective of the plan-for use in measuring progress,
Revenue and expense estimates,
Time allowance and target dates, and
Strengths and weakness
Long-range planning and IT department: The information system managers must take
systematic and proactive measures to
Develop and implement appropriate, cost-effective internal control for resultsoriented management;
Assess the adequacy of internal control in programs and operations;
Separately assess and document internal control over information systems
consistent with the information security policy of the organisation
Identify needed improvements;
7. Take corresponding corrective action; and
Report annually on internal control through management assurance statements
(iii) Shot-range planning or tactical planning- the functions and activities performed every day
are established to meet the long-range goals. For example, data processing job plan
defines daily activities of developing software and obtaining hardware in sufficient time to
support business activities.
(iv) Personnel Management controls: This involves activities and functions to accomplish the
administration of individuals, salary and benefits costs. The control techniques are-
Job descriptions- It’s a management control to communicate management
requirement and provide a standard for performance measurement.
Salary and benefits budget: To identify the cost factors and evolve a strategic plan
for new product and services.
Recruiting standards and criteria-This control is critical for IS positions which
requires technical training and experience to develop and maintain operational
efficiency.
Job performance evaluations: To counsel and motivate employees to maintain
quality of systems design and conformance with deadlines and budget time.
Screening and security standards: In an IS environment an intentionally erroneous
or fraudulent program can damage a company, even causing bankruptcy. Screening
and credit reports are preventive control measures with applicable labour laws and
regulations.
3.6 THE IS AUDIT PROCESS
The Audit of an IS environment to evaluate the systems, practices and operations may include
one or both of the following
-Assessment of internal controls within the IS environment to assure validity, reliability,
and security information.
Assessment of the efficiency and effectiveness of the IS environment in economic terms.
The IS audit process is to evaluate the adequacy of internal controls with regard to both
specific computer programs and the data processing environment as a whole. This includes
evaluating both the effectiveness and efficiency. The focus (scope and objective) of the audit
process is not only on security which comprises confidentiality, integrity and availability but
also on effectiveness (result-orientation) and efficiency (optimum utilisation of resources)
3.6.1 Responsibility of IS Auditor
The audit objective and scope has a significant bearing on the skill and competence
requirements of an IS auditor. The set of skills that is generally expected of an IS auditor
include :
Sound knowledge of business operations, practices and compliance requirements,
Should possess the requisite professional technical qualification and certifications,
An good understanding of information Risks and Controls,
8. Knowledge of IT strategies, policy and procedure controls,
Ability to understand technical and manual controls relating to business continuity, and
Good knowledge of Professional Standards and Best practices of IT controls and
security.
3.6.2 Functions of IS Auditor
IT Auditor often is the translator of business risk, as it relates to the use of IT, to management,
someone who can check the technicalities well enough to understand the risk (not necessarily
manage the technology) and make a sound assessment and present risk-oriented advice to
management.
IT auditors review risks relating to IT systems and processes, some of them are:
(i) Inadequate information security (e.g. missing or out of date antivirus controls, open
computer ports, open systems without password or weak passwords etc.)
(ii) Inefficient use of corporate resources, or poor governance (e.g. huge spending on
unnecessary IT projects like printing resources, storage devices, high power servers and
workstations etc.)
(iii) Ineffective IT strategies, policies and practices (including a lack of policies for use of
Information and Communication Technology (ICT) resources, Internet usage policies,
Security practices etc.)
(iv) IT-related frauds (including phishing, hacking etc)
Categories of IS audits
IT audits has been categorized in to five types:
(i) Systems and Applications : An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely,
and secure input, processing, and output at all levels of a system's activity
(ii) i) Information Processing Facilities : An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
(iii) Systems Development : An audit to verify that the systems under development meet the
objectives of the organization and to ensure that the systems are developed in
accordance with generally accepted standards for systems development.
(iv) Management of IT and Enterprise Architecture : An audit to verify that IT management
has developed an organizational structure and procedures to ensure a controlled and
efficient environment for information processing.
(v) Telecommunications, Intranets, and Extranets : An audit to verify that controls are in
place on the client (computer receiving services), server, and on the network connecting
the clients and servers.
9. 3.6.4 Steps in Information Technology Audit
Different audit organizations go about IT auditing in different ways and individual auditors
have their own favourite ways of working. It can be categorized into six stages
1. Scoping and pre-audit survey : the auditors determine the main area/s of focus and any
areas that are explicitly out-of-scope, based normally on some form of risk-based
assessment. Information sources at this stage include background reading and web
browsing, previous audit reports, pre audit interview, observations and, sometimes,
subjective impressions that simply deserve further investigation.
2. Planning and preparation : during which the scope is broken down into greater levels of
detail, usually involving the generation of an audit work plan or risk-control-matrix.
3. Fieldwork : gathering evidence by interviewing staff and managers, reviewing documents,
printouts and data, observing processes etc.
4. Analysis : this step involves desperately sorting out, reviewing and trying to make sense
of all that evidence gathered earlier. SWOT (Strengths, Weaknesses, Opportunities,
Treats) or PEST (Political, Economic, Social, Technological) techniques can be used for
analysis.
5. Reporting : reporting to the management is done after analysis of data gathered and
analysis.
6. Closure : closure involves preparing notes for future audits and ollowing –up
management to complete the actions they promised after previous audits