The process of Information System (IS) auditing is a critical task for any organization, regardless of its size or industry. It involves the examination of an organization’s information systems, policies, procedures, and controls to ensure that they are in compliance with industry standards and regulations. Information System Audit (ISA) is conducted by internal or external auditors, who evaluate and report on the effectiveness of an organization’s IS policies, procedures, and controls. This paper will discuss the foundations of Information System Auditing, its objectives, scope, and the audit process management.
Foundations of Information System Auditing
The field of Information System Auditing (ISA) has evolved over time to meet the growing complexity and sophistication of information systems. The foundation of ISA can be traced back to the mid-1960s, when auditors began to recognize the importance of automated systems in accounting and auditing. ISA was formally recognized in the late 1970s, with the establishment of professional organizations and certifications. The Information Systems Audit and Control Association (ISACA) was founded in 1969, and the Certified Information Systems Auditor (CISA) certification was introduced in 1978. The International Standards for the Professional Practice of Internal Auditing (Standards) provide guidance for the practice of ISA. These standards are set by the Institute of Internal Auditors (IIA) and are recognized internationally.
Objectives of Information System Auditing
The objectives of ISA are to ensure that an organization’s IS policies, procedures, and controls are designed and implemented effectively. The primary objective of ISA is to evaluate the effectiveness of the organization’s control environment, with the aim of detecting and preventing fraud, errors, and other irregularities. Other objectives of ISA include:
- Ensuring the confidentiality, integrity, and availability of information assets
- Assessing the effectiveness of security controls
- Evaluating the effectiveness of IT governance
- Verifying the accuracy of financial reporting
- Identifying operational inefficiencies
- Evaluating compliance with laws and regulations
- Providing assurance to stakeholders, including management, shareholders, customers, and regulators.
Scope of Information System Auditing
The scope of ISA can be divided into two main categories: general controls and application controls. General controls are those controls that apply to all aspects of an organization’s information systems, while application controls are specific to particular applications. General controls include:
- IT governance
- Security management
- Change management
- Program development and acquisition
- Program change and maintenance
- Computer operations.
Application controls include:
- Input controls
- Processing controls
- Output controls.
ISA is not limited to auditing financial systems. It can also include the evaluation of non-financial systems, such as HR, inventory, and purchasing systems.
Audit Process Management
The audit process management involves planning, fieldwork, and reporting. The following are the steps involved in the audit process management:
- Planning: The planning stage involves defining the scope and objectives of the audit, identifying the audit team, and establishing the audit schedule. The auditor should also review the organization’s documentation, including policies and procedures, to understand the organization’s IS environment.
- Fieldwork: The fieldwork stage involves collecting data, performing tests, and evaluating the organization’s IS policies, procedures, and controls. The auditor should also assess the adequacy of the organization’s documentation and compliance with relevant regulations.
- Reporting: The reporting stage involves preparing the audit report, which includes the auditor’s findings, conclusions, and recommendations. The report should also include the auditor’s opinion on the effectiveness of the organization’s IS policies, procedures, and controls.