SlideShare a Scribd company logo
IS Audit and Internal Controls
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for
enterprises.Internal Controlscanbe comparedto the chassisof avehicle - withoutthe chassis,the engine isrendered
useless.Internal Controlsare mostneededinacorporate environmenttopreventfraudincidence andtomanage risk
of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along
withhelpof technology,they have succeededinincreasingtheirsize of services,producesandpresence. Enterprises
are nowhavingtheirlocationsall overthe world. Thusthe needof havingcorrectInternal Controlsismore thanever.
A CA provided the following services until the effect of technology struck business.As a professional, he used to
provide servicessuchasAudit,Tax,CompanyMatters,Legal Compliances,andAccountingetc.SpecificallyasanAudit
Professional, he usedto render services of conducting audit engagements such as Statutory Audit, Tax Audits (both
DirectandIndirectTaxes),SpecialAudits(asprescribedundervarious Acts),BankAudits,andInternal Auditsetc.There
is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technologysuch as IS Audits, Implementation
of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic
Audits etc.
A CA is expectedtoknowand review implementationof new regulationsandstandards like The Sarbanes – Oxley
Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing
Agreement,Privacy Acts of variousCountries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards
Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5
(Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations)
Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is
relatedtoInternal Audit.Internal Controlsthatare presentintheenterpriseare completelyrelevant whileconducting
an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
1. Control:It literallymeansInternal Controlsthatispresentina businessenvironment.Itcan be IT Controlsor
non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non
happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a
“Process owner” or “Function head”. E.g. HR Process, Procurement Process.
Internal Control simply means “Policies framedby the management in order to have stronger and adequate control
of affairswithinthe enterprise,andwhichcanbe checkedbythe Internal orStatutoryAuditorinorderto ensure that
the goalsandobjectivesof the enterpriseare dulymet”. Theyare practicesandprocessesenforcedonthe employees
of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controlsissaidtobe asumof General ControlsandISControls.IScontrolsissaidtobe asumof IT Application
Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT
System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT
Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its
revenue generation. Application software is the software that processes business transactions. The Application
software couldbe aretail bankingsystem, anInventorysystemorpossibly anintegratedERP.Controlswhichrelateto
businessapplicationsleading tojudicial use of the applicationand enforcedthroughthe applicationitself tothe end
user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
1. InputControls:Controlsthatare enforcedduringthe inputof databya user.E.g.Data Checksandvalidations.
2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g.
duplicate checks, File Identifications and Validations etc.
3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update
Authorizations etc.
4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data
Encryption,InputValidationsetc.These controlscan be enforcedduringinputandprocessingand storage of
data.
5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g.
Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT
Application Controls, which relate to the environment within which computer-based application systems are
developed,maintainedandoperatedandare thereforeapplicabletoall applicationsTheseare policiesandprocedures
that relate tomanyapplicationsandsupportthe effectivefunctioningof applicationcontrolsbyhelpingtoensure the
continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT
Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data
centeristreatedas an extremelysensitive areaandthusa higherriskwouldbe present.E.g.BiometricLocks,
Presence of ServerRacks, Presence of AirConditioners,Fire Extinguishers,WeatherControls,LogRegisterof
people etc.
3. IS Security:These controlsare enforcedateverylevelof ITInfrastructure.The objectivesof thesecontrolsare
protectionof InformationAssets. The CIA triadisenforcedi.e.Confidentiality,IntegrityandAvailabilityof Data
andinformationsecurityismaintained.E.g.Firewall,Antivirus,Anti Spyware,Timely updatingof software and
antivirus updates and patches etc.
4. SystemDevelopmentLifeCycle andChangeManagementControls:Thesecontrolsare enforcedtoensure that
the correct process of software development/procurement and release management is followed. E.g.
Documented Process for procuringsoftware, Documented Processof incorporating changes to the acquired
software etc.
5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT
Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent
misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
6. Backupand Recovery:These controlsare presentto ensure properbackupandrecoveryprocessesof the data
of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
7. End usercomputing:These controlsare enforceddirectlyonthe employees.Thesecontrolsare enforcedwith
an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and
Review, Disabling of USB Ports etc.
An ISAuditisperformedtoprovide assurance thatall of the above mentionedcontrolsare adequateandsatisfactory
to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically
dividedintotwosectionsi.e.Review of ITApplicationControls(ITAC) andReview of ITGeneral Controls(ITGC).AnIS
Audit would have the following process:-
 An IS Auditor would begin his audit engagement by having conversation withthe IT Administrator/CIO of an
enterprise. The IS auditor would review all the documented policies and processes that are being enforced
withinthe organization.Documentedpolicieswouldinclude aISSecurityPolicy,BringYourOwnDevice Policy
(BYOD),PasswordPolicy,BCPetc.The ISAuditorwouldbe gaininganunderstandingof the overall level of the
Internal Controls.
 An IS Auditor would then gain an understanding of the applications that have been implemented in the IT
Infrastructure. It would be a base for him to decide the plan of action of the Audit.
 The next step would be to collect a list of all the types of logs that can be generated by the applications.
 Aftercollectingthe above information,the auditorthe auditor identifiesthe risksthat are applicable forthe
enterprise. The approachthatwouldbe followed istocreate a matrix foreach applicationandarea (forITAC
andITGC respectively) andwouldidentifythecontrolsthatare enforcedinthe enterprise.All the identification
and Review of controls would be performed by sampling, observations or any other method.
 Testing of Design Effectivenessand testing of operating effectiveness would be performed by the IS Auditor
on every identifiedcontrol. Testing of Design Effectiveness refersto the working design of the control as
documented.Itis a blue printof the control.Testingof OperatingEffectivenessreferstoactual performance
of the Control in the IT Environment.
 It isimportantforthe ISAuditorto collectsufficientevidencewhile identifyingthe controls.Evidencescanbe
in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
 A Risk Rating exercise is then performed to the identified controls to see whether the identified control is
sufficient to mitigate the identified risk.
 Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggestedand
accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and
observations,anIS Auditorwouldbe able to provide sufficientassurance whetherthe incorporatedcontrolsare
adequate or not to the nature and size of the IT Infrastructure of the enterprise.

More Related Content

What's hot

CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
Astri Stiawaty
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Management
icomply
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isaca
pooshu
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment
Chris Nicole Apat-Orcullo, CPA
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
Ahmed Abdul Hamed
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
Yasir Khan
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
mascot4u
 
task 1
task 1task 1
Predictive Maintenance: Achieving Level 4 Maturity
Predictive Maintenance: Achieving Level 4 MaturityPredictive Maintenance: Achieving Level 4 Maturity
Predictive Maintenance: Achieving Level 4 Maturity
FieldCircle
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
Netwrix Corporation
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
NCTechSymposium
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Task 2
Task 2Task 2
Database auditing models
 Database auditing models  Database auditing models
Database auditing models
ERSHUBHAM TIWARI
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 

What's hot (20)

CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Management
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isaca
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
 
task 1
task 1task 1
task 1
 
Predictive Maintenance: Achieving Level 4 Maturity
Predictive Maintenance: Achieving Level 4 MaturityPredictive Maintenance: Achieving Level 4 Maturity
Predictive Maintenance: Achieving Level 4 Maturity
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Task 2
Task 2Task 2
Task 2
 
Database auditing models
 Database auditing models  Database auditing models
Database auditing models
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 

Viewers also liked

Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
Bharath Rao
 
Internal Controls over Indian Financial Reporting
Internal Controls over Indian Financial ReportingInternal Controls over Indian Financial Reporting
Internal Controls over Indian Financial Reporting
Bharath Rao
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Bharath Rao
 
ISO 50001 & SEP Practitioners Guide
ISO 50001 & SEP Practitioners Guide ISO 50001 & SEP Practitioners Guide
ISO 50001 & SEP Practitioners Guide
Veritatis Advisors, Inc.
 
Example EMS Manual - ISO 14001
Example EMS Manual - ISO 14001Example EMS Manual - ISO 14001
Example EMS Manual - ISO 14001
James Charles
 
Guide to iso50001
Guide to iso50001Guide to iso50001
Guide to iso50001
Dalila Ammar
 

Viewers also liked (6)

Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
 
Internal Controls over Indian Financial Reporting
Internal Controls over Indian Financial ReportingInternal Controls over Indian Financial Reporting
Internal Controls over Indian Financial Reporting
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
ISO 50001 & SEP Practitioners Guide
ISO 50001 & SEP Practitioners Guide ISO 50001 & SEP Practitioners Guide
ISO 50001 & SEP Practitioners Guide
 
Example EMS Manual - ISO 14001
Example EMS Manual - ISO 14001Example EMS Manual - ISO 14001
Example EMS Manual - ISO 14001
 
Guide to iso50001
Guide to iso50001Guide to iso50001
Guide to iso50001
 

Similar to IS Audits and Internal Controls

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
Information systems and its components iii
Information systems and its components   iiiInformation systems and its components   iii
Information systems and its components iii
Ashish Desai
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS              .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS              .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
Ros Dina
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner   avoiding audit fatigue in nine steps 1d2010 06 gartner   avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
Gene Kim
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
Metafrique group
 
Information systems and its components ii
Information systems and its components   iiInformation systems and its components   ii
Information systems and its components ii
Ashish Desai
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information System
ijsrd.com
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
Dr Vijay Pithadia Director
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
Dr Vijay Pithadia Director
 
Business Objectives & Control Objectives in Information Technology
Business Objectives  &  Control Objectives  in  Information TechnologyBusiness Objectives  &  Control Objectives  in  Information Technology
Business Objectives & Control Objectives in Information Technology
Mufaddal Nullwala
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
HardikKundra
 
2020 Updated Cisa Real Exam Questions
2020 Updated Cisa Real Exam Questions2020 Updated Cisa Real Exam Questions
2020 Updated Cisa Real Exam Questions
douglascarnicelli
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
gueste080564
 

Similar to IS Audits and Internal Controls (20)

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Information systems and its components iii
Information systems and its components   iiiInformation systems and its components   iii
Information systems and its components iii
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS              .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS              .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner   avoiding audit fatigue in nine steps 1d2010 06 gartner   avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
Information systems and its components ii
Information systems and its components   iiInformation systems and its components   ii
Information systems and its components ii
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information System
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
Business Objectives & Control Objectives in Information Technology
Business Objectives  &  Control Objectives  in  Information TechnologyBusiness Objectives  &  Control Objectives  in  Information Technology
Business Objectives & Control Objectives in Information Technology
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
2020 Updated Cisa Real Exam Questions
2020 Updated Cisa Real Exam Questions2020 Updated Cisa Real Exam Questions
2020 Updated Cisa Real Exam Questions
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 

More from Bharath Rao

Let the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming IndustryLet the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming Industry
Bharath Rao
 
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based GuidanceInternal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Bharath Rao
 
Going global while being local
Going global while being localGoing global while being local
Going global while being local
Bharath Rao
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptions
Bharath Rao
 
Big data, Machine learning and the Auditor
Big data, Machine learning and the AuditorBig data, Machine learning and the Auditor
Big data, Machine learning and the Auditor
Bharath Rao
 
Base Erosion and Profit Shifting
Base Erosion and Profit ShiftingBase Erosion and Profit Shifting
Base Erosion and Profit Shifting
Bharath Rao
 
Chartered Accountant going Global
Chartered Accountant going GlobalChartered Accountant going Global
Chartered Accountant going Global
Bharath Rao
 
Forex markets
Forex marketsForex markets
Forex markets
Bharath Rao
 
Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context
Bharath Rao
 
Big Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered AccountantBig Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered Accountant
Bharath Rao
 
Physical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal ControlsPhysical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal Controls
Bharath Rao
 
Standards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian ContextStandards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian Context
Bharath Rao
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 

More from Bharath Rao (13)

Let the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming IndustryLet the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming Industry
 
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based GuidanceInternal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
 
Going global while being local
Going global while being localGoing global while being local
Going global while being local
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptions
 
Big data, Machine learning and the Auditor
Big data, Machine learning and the AuditorBig data, Machine learning and the Auditor
Big data, Machine learning and the Auditor
 
Base Erosion and Profit Shifting
Base Erosion and Profit ShiftingBase Erosion and Profit Shifting
Base Erosion and Profit Shifting
 
Chartered Accountant going Global
Chartered Accountant going GlobalChartered Accountant going Global
Chartered Accountant going Global
 
Forex markets
Forex marketsForex markets
Forex markets
 
Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context
 
Big Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered AccountantBig Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered Accountant
 
Physical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal ControlsPhysical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal Controls
 
Standards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian ContextStandards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian Context
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 

Recently uploaded

Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
fisherameliaisabella
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
NZSG
 
Building Your Employer Brand with Social Media
Building Your Employer Brand with Social MediaBuilding Your Employer Brand with Social Media
Building Your Employer Brand with Social Media
LuanWise
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
ecamare2
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
WilliamRodrigues148
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
my Pandit
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Industrial Tech SW: Category Renewal and Creation
Industrial Tech SW:  Category Renewal and CreationIndustrial Tech SW:  Category Renewal and Creation
Industrial Tech SW: Category Renewal and Creation
Christian Dahlen
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Lviv Startup Club
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman  Numerals  Men  Rings2022 Vintage Roman  Numerals  Men  Rings
2022 Vintage Roman Numerals Men Rings
aragme
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
DerekIwanaka1
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
taqyea
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Avirahi City Dholera
 
Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
CLIVE MINCHIN
 

Recently uploaded (20)

Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
 
Building Your Employer Brand with Social Media
Building Your Employer Brand with Social MediaBuilding Your Employer Brand with Social Media
Building Your Employer Brand with Social Media
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Industrial Tech SW: Category Renewal and Creation
Industrial Tech SW:  Category Renewal and CreationIndustrial Tech SW:  Category Renewal and Creation
Industrial Tech SW: Category Renewal and Creation
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman  Numerals  Men  Rings2022 Vintage Roman  Numerals  Men  Rings
2022 Vintage Roman Numerals Men Rings
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
 
Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
 

IS Audits and Internal Controls

  • 1. IS Audit and Internal Controls Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises.Internal Controlscanbe comparedto the chassisof avehicle - withoutthe chassis,the engine isrendered useless.Internal Controlsare mostneededinacorporate environmenttopreventfraudincidence andtomanage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along withhelpof technology,they have succeededinincreasingtheirsize of services,producesandpresence. Enterprises are nowhavingtheirlocationsall overthe world. Thusthe needof havingcorrectInternal Controlsismore thanever. A CA provided the following services until the effect of technology struck business.As a professional, he used to provide servicessuchasAudit,Tax,CompanyMatters,Legal Compliances,andAccountingetc.SpecificallyasanAudit Professional, he usedto render services of conducting audit engagements such as Statutory Audit, Tax Audits (both DirectandIndirectTaxes),SpecialAudits(asprescribedundervarious Acts),BankAudits,andInternal Auditsetc.There is a paradigm shift in the expectations from Chartered Accountants in the new scenario. A CA as an audit professional can provide more services that relate to technologysuch as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc. A CA is expectedtoknowand review implementationof new regulationsandstandards like The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement,Privacy Acts of variousCountries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls. One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is relatedtoInternal Audit.Internal Controlsthatare presentintheenterpriseare completelyrelevant whileconducting an IS Audit. These are some keywords that would be repeating in this study and is important to understand them. 1. Control:It literallymeansInternal Controlsthatispresentina businessenvironment.Itcan be IT Controlsor non IT Controls. 2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening. 3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process. Internal Control simply means “Policies framedby the management in order to have stronger and adequate control of affairswithinthe enterprise,andwhichcanbe checkedbythe Internal orStatutoryAuditorinorderto ensure that the goalsandobjectivesof the enterpriseare dulymet”. Theyare practicesandprocessesenforcedonthe employees of an enterprise to prevent fraud and to maintain integrity of the data. Internal Controlsissaidtobe asumof General ControlsandISControls.IScontrolsissaidtobe asumof IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software. IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software couldbe aretail bankingsystem, anInventorysystemorpossibly anintegratedERP.Controlswhichrelateto businessapplicationsleading tojudicial use of the applicationand enforcedthroughthe applicationitself tothe end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories: 1. InputControls:Controlsthatare enforcedduringthe inputof databya user.E.g.Data Checksandvalidations.
  • 2. 2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g. duplicate checks, File Identifications and Validations etc. 3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update Authorizations etc. 4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data Encryption,InputValidationsetc.These controlscan be enforcedduringinputandprocessingand storage of data. 5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g. Time stamps and snapshots of application. IT General Controls: They may also be referred as General Computer controls. These are controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed,maintainedandoperatedandare thereforeapplicabletoall applicationsTheseare policiesandprocedures that relate tomanyapplicationsandsupportthe effectivefunctioningof applicationcontrolsbyhelpingtoensure the continued proper operation of information systems. IT General Controls can be broadly classified into the following areas: 1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc. 2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data centeristreatedas an extremelysensitive areaandthusa higherriskwouldbe present.E.g.BiometricLocks, Presence of ServerRacks, Presence of AirConditioners,Fire Extinguishers,WeatherControls,LogRegisterof people etc. 3. IS Security:These controlsare enforcedateverylevelof ITInfrastructure.The objectivesof thesecontrolsare protectionof InformationAssets. The CIA triadisenforcedi.e.Confidentiality,IntegrityandAvailabilityof Data andinformationsecurityismaintained.E.g.Firewall,Antivirus,Anti Spyware,Timely updatingof software and antivirus updates and patches etc. 4. SystemDevelopmentLifeCycle andChangeManagementControls:Thesecontrolsare enforcedtoensure that the correct process of software development/procurement and release management is followed. E.g. Documented Process for procuringsoftware, Documented Processof incorporating changes to the acquired software etc. 5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc. 6. Backupand Recovery:These controlsare presentto ensure properbackupandrecoveryprocessesof the data of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc. 7. End usercomputing:These controlsare enforceddirectlyonthe employees.Thesecontrolsare enforcedwith an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and Review, Disabling of USB Ports etc. An ISAuditisperformedtoprovide assurance thatall of the above mentionedcontrolsare adequateandsatisfactory to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically dividedintotwosectionsi.e.Review of ITApplicationControls(ITAC) andReview of ITGeneral Controls(ITGC).AnIS Audit would have the following process:-  An IS Auditor would begin his audit engagement by having conversation withthe IT Administrator/CIO of an enterprise. The IS auditor would review all the documented policies and processes that are being enforced withinthe organization.Documentedpolicieswouldinclude aISSecurityPolicy,BringYourOwnDevice Policy (BYOD),PasswordPolicy,BCPetc.The ISAuditorwouldbe gaininganunderstandingof the overall level of the Internal Controls.  An IS Auditor would then gain an understanding of the applications that have been implemented in the IT Infrastructure. It would be a base for him to decide the plan of action of the Audit.  The next step would be to collect a list of all the types of logs that can be generated by the applications.
  • 3.  Aftercollectingthe above information,the auditorthe auditor identifiesthe risksthat are applicable forthe enterprise. The approachthatwouldbe followed istocreate a matrix foreach applicationandarea (forITAC andITGC respectively) andwouldidentifythecontrolsthatare enforcedinthe enterprise.All the identification and Review of controls would be performed by sampling, observations or any other method.  Testing of Design Effectivenessand testing of operating effectiveness would be performed by the IS Auditor on every identifiedcontrol. Testing of Design Effectiveness refersto the working design of the control as documented.Itis a blue printof the control.Testingof OperatingEffectivenessreferstoactual performance of the Control in the IT Environment.  It isimportantforthe ISAuditorto collectsufficientevidencewhile identifyingthe controls.Evidencescanbe in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.  A Risk Rating exercise is then performed to the identified controls to see whether the identified control is sufficient to mitigate the identified risk.  Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggestedand accordingly an IS Audit report would be drafted and shared to the enterprise. Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and observations,anIS Auditorwouldbe able to provide sufficientassurance whetherthe incorporatedcontrolsare adequate or not to the nature and size of the IT Infrastructure of the enterprise.