Running head: AUDITING INFORMATION SYSTEMS PROCESS
1
AUDITING INFORMATION SYSTEMS PROCESS 2
Auditing information systems process
Student’s Name
University Affiliation
Process of Auditing information systems
Information system is the livelihood of every huge company. As it has been in the past years, computer systems don’t simply document transactions of business, rather essentially compel the main business procedures of the venture. In this kind of a situation, superior administration and company managers usually have worries concerning an information system. assessment is a methodical process in which a proficient, autonomous person impartially gets and assesses proof concerning affirmations about a financial unit or occasion with the intent to outline an outlook about and giving feedback on the extent in which the contention matches an acknowledged standards set. information systems auditing refers to the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009).
Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, purpose for, in addition to designation of power to audit of Information System . The audit contract should also summarize the general right, responsibilities and scope of the purpose of audit. The uppermost level of management should endorse the contract and on one occasion it is set up, this contract is supposed to be distorted merely if the amendment is and might be meticulously defensible.
The process of auditing information systems involves;-
Audit Function Management; this process includes assessment which is systematic of policies and methods of management of the organization in managemen ...
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
1. Running head: AUDITING INFORMATION SYSTEMS
PROCESS
1
AUDITING INFORMATION SYSTEMS PROCESS
2
Auditing information systems process
Student’s Name
University Affiliation
Process of Auditing information systems
Information system is the livelihood of every huge company. As
it has been in the past years, computer systems don’t simply
document transactions of business, rather essentially compel the
main business procedures of the venture. In this kind of a
situation, superior administration and company managers
usually have worries concerning an information system.
assessment is a methodical process in which a proficient,
autonomous person impartially gets and assesses proof
concerning affirmations about a financial unit or occasion with
the intent to outline an outlook about and giving feedback on
the extent in which the contention matches an acknowledged
standards set. information systems auditing refers to the
administration controls assessment inside the communications
of Information Technology. The obtained proof valuation is
used to decide if systems of information are defensive assets,
maintenance reliability of data, and also if they are efficiently
operating in order to attain organization’s goals or objectives
(Hoelzer, 2009).
2. Auditing of Information Systems has become an essential part
of business organization in both large and small business
environments. This paper examines the preliminary points for
carrying out and Information system audit and some of the,
techniques, tools, guidelines and standards that can be
employed to build, manage, and examine the review function.
The Certified Information Systems Auditor (CISA)
qualifications is recognized worldwide as a standard of
accomplishment for those who assess, monitor, control and
audit the information technology of an organization and
business systems. Information Systems experts with a concern
in information systems security, control and audit. At least five
years of specialized information systems security, auditing and
control work practice is necessary for certification. An audit
contract should be present to evidently state the responsibility
of the management, purpose for, in addition to designation of
power to audit of Information System . The audit contract
should also summarize the general right, responsibilities and
scope of the purpose of audit. The uppermost level of
management should endorse the contract and on one occasion it
is set up, this contract is supposed to be distorted merely if the
amendment is and might be meticulously defensible.
The process of auditing information systems involves;-
Audit Function Management; this process includes assessment
which is systematic of policies and methods of management of
the organization in management and utilization of resources,
improvement of organization and employee, strategic and
tactical planning. The main goals are to establish the present
effectiveness level, suggesting improvements and putting down
standards for performance in future.
Standards of Assurance, IT Audit and Guidelines; these involve
the relationships between standards, tools, guidelines and
techniques. It also comprises of the assurance framework of
Information technology among other standards. They describe a
3. framework of guidance and standards which relates to
performance and acceptance of assurance activities and auditing
(John, 2007).
Risk Analysis; thisinvolves identifying specific risks that might
be faced by the information system of the organization and
establish the impacts, occurrence likelihood, severity and
priority and recommendations of strategies of mitigation.
Internal Controls; these are actions that the management and
other groups take for risk management and increase the
possibility that the identified goals and objectives will be
attained.
Perform an Information System Audit; this process involves the
evaluation of weaknesses and strengths of the audit, testing,
sampling, recommendation implementation of the management
and communicating the results of the audit, among others
(Richard, 2007).
The function of audit of Information System is to evaluate
and offer suggestions, reassurance in addition to feedback.
These apprehensions may be categorized in three wide
categories:
· accessibility:
This entails whether the information scheme which the
organization greatly depends on will be accessible for the
company during all the occasions when needed. It also answers
questions like whether the whole of the system is well protected
against all kinds of disasters and losses.
· discretion:
This concerns whether the data inside the system will be
revealed solitary to the people who are in need to see it and
utilize it but not to everyone else.
4. · reliability:
This entails whether the data offered by the system will at all
times be timely, dependable in addition to being accurate. It
also makes sure that there is no illegal alteration that could be
carried out on the software or else the data inside the system.
The advantages of review can be categorized into four groups
which include:
· Strategic Benefits.
Reliability of information formed by the business.
Improved client assurance.
· Operational advantages.
Improved worker Morale in addition to Productivity.
Reliability of Data makes it possible for Management to
formulate accurate and informed choices.
· economic Benefits.
Improved Performance of the hardware.
prices of burglary of Information System property are
condensed.
· technological Benefits.
Organization choices regarding Computer generated information
are consistent.
Company associates trust the Organization’s administration
distribution in addition to control of susceptible Data.
ASPECTS OF INFORMATION SYSTEM AUDIT:
information systems are not merely processors. present
information systems have become intricate and contain many
constituents which come together to build a company resolution
(Weber, 2002). Reassurance about information systems could be
5. attained simply if every constituent is assessed and protected.
The main aspects of Information Systems review could be
largely categorized into:
· Environmental and physical evaluation
which consists of humidity control, air conditioning, power
supply, physical security in addition to other ecological aspects.
· system management evaluation:
system management evaluation entails safety evaluation
regarding the database administration schemes, operating
structures and each and every system management compliance
along with procedures.
· appliance software evaluation.
The appliance of the business can be an enterprise resource
planning system, a web based client order processing system,
invoicing or a payroll scheme that essentially operates the
company. The evaluation of such appliance software would
include corresponding manual procedures and controls, business
procedures within the application software, mistake and
exception handling, validations, authorizations and access
control. In addition, an evaluation of the scheme development
lifecycle is supposed to be accomplished.
· system security evaluation.
The typical areas covered by this review include the evaluation
of the external and internal connections to the system, intrusion
detection and port scanning, router admission control lists,
review of the firewall and boundary security.
· Business permanence review.
Business permanence review entails maintenance plus existence
of error lenient and superfluous hardware, backing storage,
procedures plus tested disaster and documented business or
recovery stability arrange.
6. · information reliability evaluation.
The intention of this examination of live information is for
confirming the impact of weaknesses in addition to sufficiency
of controls like observed on or after one of the previous
evaluations. Such substantial investigation can be carried out
using a software for comprehensive auditing. for instance PC
aided review procedures (Weber, 2002). It can be imperative
appreciating that every review may have all of these aspects in
different extents. various auditors may examine just one of the
aspects and leave the other aspects. However, it is essential to
carry out all the aspects though it is not compulsory to carry out
all of them in one task. The set of skills that is needed for every
of these aspects is dissimilar. The outcomes on every review
require not to be perceived in relation to another. This allows
the examiner and the administration to obtain the full scrutiny
of problems and concerns. This review is very important.
All these aspects require to be tackled in order to give the
administration an apparent evaluation of the scheme. For
instance, appliance software can be fine planned and executed
with all the safety characteristics, and the defaulting user secret
code inside the working system utilized on the server could not
have been altered, thus permitting somebody to see the records
files openly. a circumstance like this contradicts whatsoever
precautions that was constructed into the appliance. similarly,
technological system safety and firewalls might have been
executed thoroughly, excluding the access controls and task
definitions in the application software might have also been
inadequately planned and executed where making use of the
client IDs, workers might get to see vital and delicate data far
ahead of their positions (Weber, 2002)..
We should also appreciate that every examination might entail
these aspects in different actions. Some reviews may inspect
just one of the aspects or leave some of the aspects. It is
however necessary to to carry out all of these aspects but it is
not compulsory to carry out all of them in a single task. The set
7. of skills needed for every aspect is dissimilar. The outcomes of
each review should not be perceived the same as another. This
will allow the examiner and the administration to get a complete
view of concerns and difficulties. This review is very
significant.
threat based Approacheach organization utilizes several of
systems of information. There might be diverse functions for
diverse activities in addition to functions and there might be
various workstation installations at diverse physical positions.
The examiner is confronted with the difficulties of what to
audit, at what time in addition to how regularly he should do so.
The response to all this is to implement an approach that is
threat based. whereas there are hazards intrinsic to the systems,
the hazards crash diverse schemes in diverse ways. hazards of
no availability can be severe even if it happens for an hour
(Weber, 2002). hazards of illegal alteration could be a basis to
potential losses as well as frauds to online bank system. A
bunch dispensation scheme or an information merging system
might be comparatively a little more susceptible to a number of
these perils. The industrial surroundings on which the scheme
operate on may also have an effect on the hazard connected by
the system.
The procedure that could be pursued for a threat based approach
to creation of an review plan include:
1. Account for the information system in exercise in the
business and classify them.
2. Decide on which of the system has vital assets or functions,
for examle how close to actual time they function, decision
making, customers, materials and money.
3. Evaluate which hazards influence the systems and their
strictness of consequence on the company.
8. 4. Categorize the schemes on basis of the above evaluation and
settle on the review frequency, schedule, assets and priority.
The auditor can then come up with an annual review plan that
classifies the reviews that will be carried out during the period
od of time according to the plan in adition to the assets that are
necessary. Groundwork before instigating a review entails
gathering of background data and examining the skills plus the
resources needed to perform the review. This allows employees
having the correct type of proficiency to be selected to the
correct task. It is at all times good to have an official review
beginning convention with the top administration answerable
for the section under review to conclude the extent, recognize
the extraordinary problems, if present, plan the date as well as
clarify on the technique for the review. conventions like this
should get topr administration concerned, permit individuals to
meet up with one another, explain concerns and essential
company worries as well as assist the review to be performed
efficiently (Weber, 2002).
References
Weber, R. (2002). EDP Auditing. Conceptual Foundations and
Practice.
Hoelzer, D. (2009). Audit Principles, Risk Assessment &
Effective Reporting. SANS Press.
John, B. (2007). Public Sector Auditing: Is it Value for Money?
Creating a culture of compliance
Richard, C. (2007). Information system auditing; Auditor's
Guide to Information Systems Auditing. High Tower
SoftwareZENER, B. (2012). Public Sector Auditing: SANS
Press.