Systems Audit is another area of Assurance for an Assurance professional. Auditing a Computer Environment is just as important as auditing the books of accounts.
Hence it is important for a Chartered Accountant to provide sufficient assurance to the stakeholders having interest, that the internal controls deployed in the IT Environment as well as in the Non IT Environment operate effectively.
This article gives an approach for conducting an IS Audit.
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
Information Systems Audit is now an emerging field for Chartered Accountants and other Auditing Professionals. This presentation describes in brief the relation between Internal Controls and IS Audit. This is a basic presentation for understanding the concept of IS Audit for those who are new into the field.
Please send in your valuable suggestions and comments to mailme@bharathraob.com
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
Information Systems Audit is now an emerging field for Chartered Accountants and other Auditing Professionals. This presentation describes in brief the relation between Internal Controls and IS Audit. This is a basic presentation for understanding the concept of IS Audit for those who are new into the field.
Please send in your valuable suggestions and comments to mailme@bharathraob.com
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Have you navigated your predictive maintenance maturity level?
Navigating the maturity level of your predictive maintenance model could help you identify the new requirements of your business to utilize the data more effectively. Check out the post to explore more about predictive maintenance maturity level and how you can improve on the levels to increase your operational effectiveness.
Changes can introduce untested conditions, or produce unpredictable errors and problems. Change auditing is a means whereby both IT administrators and management can readily distribute, secure and manage resources to ensure accountability and operational stability. This white paper explains why change auditing is important and covers features required for Active Directory change auditing.
Big Data is the lastest cashcow. Data Analytics has now a crucial role for industries. This article describes as to what is Big Data and Analytics and how a Chartered Accountant will be able to provide value in this field.
Internal Controls over Indian Financial ReportingBharath Rao
Corporate Accountability has been gaining its momentum in the Indian Scenario. The Companies Act 2013 has now benchmarked itself to regulations like the Sarbanes-Oxley Act and stresses on the fact the auditor has to give an opinion on the Internal controls that handle Financial Data and are operating effectively. Section 134 and Section 143 of the Companies Act 2013 highlights the requirements for documenting, implementing, enforcing and auditing those internal controls which handle Financial Data.
This article provides an introduction of Internal Controls over Financial Reporting in the Indian perspective.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Have you navigated your predictive maintenance maturity level?
Navigating the maturity level of your predictive maintenance model could help you identify the new requirements of your business to utilize the data more effectively. Check out the post to explore more about predictive maintenance maturity level and how you can improve on the levels to increase your operational effectiveness.
Changes can introduce untested conditions, or produce unpredictable errors and problems. Change auditing is a means whereby both IT administrators and management can readily distribute, secure and manage resources to ensure accountability and operational stability. This white paper explains why change auditing is important and covers features required for Active Directory change auditing.
Big Data is the lastest cashcow. Data Analytics has now a crucial role for industries. This article describes as to what is Big Data and Analytics and how a Chartered Accountant will be able to provide value in this field.
Internal Controls over Indian Financial ReportingBharath Rao
Corporate Accountability has been gaining its momentum in the Indian Scenario. The Companies Act 2013 has now benchmarked itself to regulations like the Sarbanes-Oxley Act and stresses on the fact the auditor has to give an opinion on the Internal controls that handle Financial Data and are operating effectively. Section 134 and Section 143 of the Companies Act 2013 highlights the requirements for documenting, implementing, enforcing and auditing those internal controls which handle Financial Data.
This article provides an introduction of Internal Controls over Financial Reporting in the Indian perspective.
This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.
A public work I developed while under contract with UL to build and operate their Sustainability and energy Practice across the US, global offices and management consultant base.
Created as a management consulting tool for "C" Suite executives to guide in strategy development, launch, operation, and assessment of internal programs controlling all forms of energy, behavioral or engineering based projects.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
· Processed on 09-Dec-2014 9:01 PM CST
· ID: 488406360
· Word Count: 1969
Similarity Index
47%
Similarity by Source
Internet Sources:
46%
Publications:
2%
Student Papers:
N/A
sources:
1
30% match (Internet from 27-Mar-2009)
http://www.isaca.org/Content/ContentGroups/Journal1/20023/The_IS_Audit_Process.htm
2
13% match (Internet from 29-Mar-2011)
http://www.scribd.com/doc/36655995/Chapter-1-the-Information-System-Audit-Process
3
2% match (publications)
Athula Ginige. "Web site auditing", Proceedings of the 14th international conference on Software engineering and knowledge engineering - SEKE 02 SEKE 02, 2002
4
1% match (Internet from 26-Feb-2012)
http://www.dc.fi.udc.es/~parapar/files/ai/The_IS_Audit_Process_isaca_sayana.pdf
5
1% match (Internet from 01-Apr-2009)
http://www.idkk.gov.tr/web/guest/it_audit_manual_isaca
paper text:
Running head: AUDITING INFORMATION SYSTEMS PROCESS Auditing information systems process Student’s Name University Affiliation Auditing information systems 2process Information systems are the livelihood of any huge business. As in past years, computer systems do not simply record transactions of business, but essentially drive the main business procedures of the enterprise. In such a situation, superior management and business managers do have worries concerning information systems. Auditing is a methodical process by which a proficient, independent person impartially obtains and assesses evidence concerning assertions about a financial entity or occasion for the reason of outlining an outlook about and reporting on the extent to which the contention matches to an acknowledged set of standards. Auditing of information systems is the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009). Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, 2objectives for, and designation of authority to Information .
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
Running head: AUDITING INFORMATION SYSTEMS PROCESS
1
AUDITING INFORMATION SYSTEMS PROCESS 2
Auditing information systems process
Student’s Name
University Affiliation
Process of Auditing information systems
Information system is the livelihood of every huge company. As it has been in the past years, computer systems don’t simply document transactions of business, rather essentially compel the main business procedures of the venture. In this kind of a situation, superior administration and company managers usually have worries concerning an information system. assessment is a methodical process in which a proficient, autonomous person impartially gets and assesses proof concerning affirmations about a financial unit or occasion with the intent to outline an outlook about and giving feedback on the extent in which the contention matches an acknowledged standards set. information systems auditing refers to the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009).
Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, purpose for, in addition to designation of power to audit of Information System . The audit contract should also summarize the general right, responsibilities and scope of the purpose of audit. The uppermost level of management should endorse the contract and on one occasion it is set up, this contract is supposed to be distorted merely if the amendment is and might be meticulously defensible.
The process of auditing information systems involves;-
Audit Function Management; this process includes assessment which is systematic of policies and methods of management of the organization in managemen ...
2010 06 gartner avoiding audit fatigue in nine steps 1dGene Kim
Avoiding Audit Fatigue: Achieving Compliance In A Multi-compliance World In Nine Steps
Gartner Security/Risk Management Conference
July 2010
It's common for information security managers to be held responsible for failed audits where they had little control or influence in the rest of the organization. This presentation provides nine steps that information security managers can use to break the compliance blame cycle and build an information security program that more effectively mitigates security risk. By successfully executing these steps, the information security manager will no longer continually react to and
manage the audit preparation crisis du jour. Instead, the information security manager will institute and rely upon regular, defined activities to complete the heavy lifting of preparing for a successful audit long before the audit occurs.
This session also describes how IT security managers can achieve alignment among all stakeholders so that information security and compliance activities become integrated into daily business operations.
Completing the nine steps in this presentation requires business stakeholders, IT management, and information security management to all mutually support the same goal. This session describes how to gain this alignment and defines the various compliance roles so that information
security and compliance activities become integrated into daily
Information systems and its components iiAshish Desai
This study note helps to identify the concept of Control, Policies, Procedure and Practise apply inside the InformationSystem. Also, explain the types of control with the detailed description.
This is specially design for the students of IPCC Group 2 (ICAI)
A Monitor System in Data Redundancy in Information Systemijsrd.com
The structure of a few of the Information Assurance (IA) processes currently being used in the United States government. In this paper, the general structure of the processes that are uncovered and used to create a Continuous Monitoring Process that can be used to create a tool to incorporate any process of similar structure. The paper defines a concept of continuous monitoring that attempts to create a process from the similar structure of several existing IA processes. The specific documents and procedures that differ among the processes can be incorporated to reuse scan results and manual checks that have already been conducted on an IS A proof-of-concept application is drafted to demonstrate the main aspects of the proposed tool. The possibilities and implications of the proof-of-concept application are explored, to develop a fully functional and automated version of the proposed Continuous Monitoring tool.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework.
Let the games begin - Insights into the Gaming IndustryBharath Rao
A knowledge scoop presentation series was presented by me within my team here at EY providing insights on the following:
- About the Gaming Industry
- Business Perspective and monetization within the Gaming Industry
- Cyber Security and Safety insights
Access the recording using the Youtube link below:
https://youtu.be/GpD3pXpNuoo
Internal Controls for Indian Financial Reporting using COBIT 5 based GuidanceBharath Rao
Guidance note on how COBIT 5 principles and processes may be leveraged to gain better compliance of the ICFR Laws and Regulations in Indian Context.
This document was contributed by my team and myself during my stint at Quadrisk. I feel proud and privileged to be a part of the document's creation. Your comments are most welcome !!
This important guidance document provides assistance with the New Companies Act 2013. It can help you to improve governance and risk management integration, reduce the cost of non-compliance and enhance user outcomes. Companies now need to assert that Internal Controls over Financial Reporting are effective and reliable. In the event there are any qualifications, the same needs to be disclosed to the stakeholders who rely on Financial Statements
http://www.isaca.org/Knowledge-Center/Documents/Internal-Controls-for-Indian-Financial-Reporting-Using-COBIT-5-Based-Guidance_gui_Eng_0814.pdf
This presentation talks about how to scale up the local CA practice to global standards. Technology, Knowledge and experience are with us, lets use them well so that we can go Global and achieve a better sense of professional satisfaction.
The Next Gen Auditor - Auditing through technological disruptionsBharath Rao
Presentation on the risks and my ideas of audit procedures that can be executed to processes that involve technological disruptions incorporated by businesses.
This presentation consists of the newer technological risks that are to be considered by audit professionals during their audit engagements.
Thoughts and points of views are welcome to mailme@bharathraob.com
Big data, Machine learning and the AuditorBharath Rao
Check an insight as to how an Auditor can leverage Analytics, machine learning, and Technology to achieve absolute assurance and to effectively control the Fraud Risk present in the Enterprise.
International Business Transactions has indeed made the world smaller and more developed. However due to the free cross boundary transactions, business entities are now able to generate revenue and not pay the appropriate taxes in their respective countries.
The G20 Countries had assigned OECD to come up with some non tax evasion rules so that the countries of the world may accept the same without any dispute.
This presentation covers the BEPS Rules suggested by OECD and explains the changes in Tax Laws that India has incorporated in order to align with BEPS and to curb Tax Evasion.
This presentation was performed by my GMCS Team during the GMCS 2 Course at Mangalore Branch of SIRC of ICAI.
This presentation deals with the opportunities that is present for a Chartered Accountant in order to take his practice global.
This presentation was made by Shinoj Isac and myself as a presentation during the GMCS 2 Course conducted at Mangalore Branch of SIRC of ICAI.
This presentation was prepared by my GMCS team during the GMCS 2 course at Mangalore Branch of SIRC of ICAI.
This presentation gives an overview regarding the Forex Market and how one can use the Forex instruments and thus be able to transact globally.
An approach to deal with Forex Instruments in order to have accurate decision making has been outlined. This approach explains as to how an investor may be able to use Purchase Power Parity and Interest Rate Parity Theorems in order to transact.
Internal Controls over Financial Reporting in the Indian Context Bharath Rao
Section 143 of the Indian Companies Act 2013 has rewarded auditors with additional auditing responsibilities wherein assurance must be provided on the Internal Controls present in a Company's Business Environment. The Auditor must provide an opinion on the operating effectiveness of these Internal Financial Controls.
The Institute of Chartered Accountants of India has released a Guidance Note which provides the required guidance to an Auditor to conduct an Audit of the same.
This presentation deals with the legal requirement of IFCs, Auditing Responsibilities and Implementation Guides from guidance note.
This presentation was presented at the Study Circle conducted by the Mangalore Branch of SIRC of ICAI on 23rd June 2016.
Big Data Analytics and a Chartered AccountantBharath Rao
Big Data Analytics is a growing field and currently being capitalized by many businesses. Businesses leverage on Big Data to gain a keen understanding of the Consumer Behavior and Market Understanding. Additionally Big Data can be used different fields such as Financial Audit, Control Assurance and Forensics.
This presentation is made to provide an insight regarding what opportunities reside for a Chartered Accountant in order to provide suitable value creation with regards to Big Data Analytics.
This presentation was made during my GMCS 2 Course at Mangalore branch of SIRC of ICAI and hence has limited number of slides.
Physical and logical access controls - A pre-requsite for Internal ControlsBharath Rao
Internal Controls truly forms an integral part for the efficient functioning in any business. The use of information technology to operate business is picking up rapid pace.
Physical and Logical Access Controls are the two areas to begin implementing internal controls. The objective of all IT related Internal controls is to protect confidentiality, integrity and availability of Data.
This presentation was jointly presented by Tarish Vasant (tarishvasant@gmail.com) and myself (Bharath Rao, mailme@bharathraob.com) at the National Conclave held at Udupi on 6th January conducted by the Board of Studies of the Institute of Chartered Accountants of India and the Udupi Branch of SIRC of ICAI.
Standards of Auditing - Introduction and Application in the Indian ContextBharath Rao
A brief introduction to those who are new to the standards of auditing as issued by the Institute of Chartered Accountants of India. This presentation briefs about the concept of Auditing Standards, its relevance and its application in our daily audits.
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
1. IS Audit and Internal Controls
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for
enterprises.Internal Controlscanbe comparedto the chassisof avehicle - withoutthe chassis,the engine isrendered
useless.Internal Controlsare mostneededinacorporate environmenttopreventfraudincidence andtomanage risk
of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along
withhelpof technology,they have succeededinincreasingtheirsize of services,producesandpresence. Enterprises
are nowhavingtheirlocationsall overthe world. Thusthe needof havingcorrectInternal Controlsismore thanever.
A CA provided the following services until the effect of technology struck business.As a professional, he used to
provide servicessuchasAudit,Tax,CompanyMatters,Legal Compliances,andAccountingetc.SpecificallyasanAudit
Professional, he usedto render services of conducting audit engagements such as Statutory Audit, Tax Audits (both
DirectandIndirectTaxes),SpecialAudits(asprescribedundervarious Acts),BankAudits,andInternal Auditsetc.There
is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technologysuch as IS Audits, Implementation
of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic
Audits etc.
A CA is expectedtoknowand review implementationof new regulationsandstandards like The Sarbanes – Oxley
Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing
Agreement,Privacy Acts of variousCountries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards
Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5
(Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations)
Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is
relatedtoInternal Audit.Internal Controlsthatare presentintheenterpriseare completelyrelevant whileconducting
an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
1. Control:It literallymeansInternal Controlsthatispresentina businessenvironment.Itcan be IT Controlsor
non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non
happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a
“Process owner” or “Function head”. E.g. HR Process, Procurement Process.
Internal Control simply means “Policies framedby the management in order to have stronger and adequate control
of affairswithinthe enterprise,andwhichcanbe checkedbythe Internal orStatutoryAuditorinorderto ensure that
the goalsandobjectivesof the enterpriseare dulymet”. Theyare practicesandprocessesenforcedonthe employees
of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controlsissaidtobe asumof General ControlsandISControls.IScontrolsissaidtobe asumof IT Application
Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT
System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT
Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its
revenue generation. Application software is the software that processes business transactions. The Application
software couldbe aretail bankingsystem, anInventorysystemorpossibly anintegratedERP.Controlswhichrelateto
businessapplicationsleading tojudicial use of the applicationand enforcedthroughthe applicationitself tothe end
user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
1. InputControls:Controlsthatare enforcedduringthe inputof databya user.E.g.Data Checksandvalidations.
2. 2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g.
duplicate checks, File Identifications and Validations etc.
3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update
Authorizations etc.
4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data
Encryption,InputValidationsetc.These controlscan be enforcedduringinputandprocessingand storage of
data.
5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g.
Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT
Application Controls, which relate to the environment within which computer-based application systems are
developed,maintainedandoperatedandare thereforeapplicabletoall applicationsTheseare policiesandprocedures
that relate tomanyapplicationsandsupportthe effectivefunctioningof applicationcontrolsbyhelpingtoensure the
continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT
Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data
centeristreatedas an extremelysensitive areaandthusa higherriskwouldbe present.E.g.BiometricLocks,
Presence of ServerRacks, Presence of AirConditioners,Fire Extinguishers,WeatherControls,LogRegisterof
people etc.
3. IS Security:These controlsare enforcedateverylevelof ITInfrastructure.The objectivesof thesecontrolsare
protectionof InformationAssets. The CIA triadisenforcedi.e.Confidentiality,IntegrityandAvailabilityof Data
andinformationsecurityismaintained.E.g.Firewall,Antivirus,Anti Spyware,Timely updatingof software and
antivirus updates and patches etc.
4. SystemDevelopmentLifeCycle andChangeManagementControls:Thesecontrolsare enforcedtoensure that
the correct process of software development/procurement and release management is followed. E.g.
Documented Process for procuringsoftware, Documented Processof incorporating changes to the acquired
software etc.
5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT
Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent
misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
6. Backupand Recovery:These controlsare presentto ensure properbackupandrecoveryprocessesof the data
of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
7. End usercomputing:These controlsare enforceddirectlyonthe employees.Thesecontrolsare enforcedwith
an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and
Review, Disabling of USB Ports etc.
An ISAuditisperformedtoprovide assurance thatall of the above mentionedcontrolsare adequateandsatisfactory
to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically
dividedintotwosectionsi.e.Review of ITApplicationControls(ITAC) andReview of ITGeneral Controls(ITGC).AnIS
Audit would have the following process:-
An IS Auditor would begin his audit engagement by having conversation withthe IT Administrator/CIO of an
enterprise. The IS auditor would review all the documented policies and processes that are being enforced
withinthe organization.Documentedpolicieswouldinclude aISSecurityPolicy,BringYourOwnDevice Policy
(BYOD),PasswordPolicy,BCPetc.The ISAuditorwouldbe gaininganunderstandingof the overall level of the
Internal Controls.
An IS Auditor would then gain an understanding of the applications that have been implemented in the IT
Infrastructure. It would be a base for him to decide the plan of action of the Audit.
The next step would be to collect a list of all the types of logs that can be generated by the applications.
3. Aftercollectingthe above information,the auditorthe auditor identifiesthe risksthat are applicable forthe
enterprise. The approachthatwouldbe followed istocreate a matrix foreach applicationandarea (forITAC
andITGC respectively) andwouldidentifythecontrolsthatare enforcedinthe enterprise.All the identification
and Review of controls would be performed by sampling, observations or any other method.
Testing of Design Effectivenessand testing of operating effectiveness would be performed by the IS Auditor
on every identifiedcontrol. Testing of Design Effectiveness refersto the working design of the control as
documented.Itis a blue printof the control.Testingof OperatingEffectivenessreferstoactual performance
of the Control in the IT Environment.
It isimportantforthe ISAuditorto collectsufficientevidencewhile identifyingthe controls.Evidencescanbe
in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
A Risk Rating exercise is then performed to the identified controls to see whether the identified control is
sufficient to mitigate the identified risk.
Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggestedand
accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and
observations,anIS Auditorwouldbe able to provide sufficientassurance whetherthe incorporatedcontrolsare
adequate or not to the nature and size of the IT Infrastructure of the enterprise.