Information Systems Auditing (ISA)

Vocabulary flashcards for reviewing Information Systems Auditing concepts.

Auditing

A systematic and independent examination of information to determine whether it accurately reflects the transactions or events it represents.

Auditors

Individuals who enhance the degree of confidence of intended users regarding the credibility of information.

Auditor's Credibility

Auditors must maintain objectivity and avoid any influences that could compromise their professional judgment.

Performance of Auditor's Work

This encompasses responsibility and the need for evidence. Auditors are responsible for conducting the audit with professional skill and scepticism.

Accountability

Auditors act in the interest of primary stakeholders, while also considering the wider public interest.

Integrity

Auditors must act with honesty, fairness, and truthfulness, maintaining the confidentiality of information obtained during the audit.

Objectivity and Independence

Auditors must be impartial, fair, and free from prejudice or bias, expressing opinions independently of the entity being audited.

Competence

Auditors must possess the professional skills derived from their qualifications, training, and practical experience, including an understanding of business issues and financial reporting.

Rigour

Auditors approach their work with thoroughness and professional skepticism, critically assessing information and explanations.

Judgement

Auditors apply professional judgment, considering materiality in the context of their reporting.

Clear Communication

Audit reports must contain clear expressions of opinion and provide necessary information for a proper understanding.

Association

Auditors must exercise caution when their reports are included in documents containing other information, ensuring that the additional information does not contradict their findings or is misleading.

Providing Value

Auditors contribute to the reliability of financial reporting and provide constructive observations that can improve business operations.

Policies

High-level documents, approved by senior management, that state important high-level control objectives. They are typically brief and mandate compliance.

Standards

Mid-level documents that ensure the uniform application of policies. Compliance with standards, once approved, is mandatory and serves as a benchmark for audits.

Guidelines

Advisory documents that suggest how organisational objectives might be achieved when no standard exists. They are discretionary and aim to aid decision-making.

Procedures

Detailed, step-by-step instructions for accomplishing specific tasks needed to meet a standard. Mandatory compliance ensures consistency and accuracy.

Internal Audits

An independent verification process established within an organisation to examine and evaluate the organisation's activities.

External Audits

Verification or evaluation conducted by auditors who are independent of the organisation being audited.

Government Audits

Evaluations carried out by auditors within government departments.

Forensic Audits

Audits conducted by auditors who investigate and gather evidence in cases of alleged financial mismanagement, theft, or fraud.

Environmental Audits

Audits performed by auditors who assist businesses in making environmental improvements

Information Systems Audits (ISA)

Audits specifically designed to help organisations ensure effective operations and compliance with administrative and legal regulations concerning their information and related systems.

Information System Audit (ISA)

A review of the controls within an entity's information technology infrastructure.

Availability

Will the organisation's computer systems be accessible for business operations whenever required?

Security and/or Confidentiality

Will the information within these systems be disclosed solely to authorised users?

Integrity

Will the information provided by the system consistently be accurate, reliable, and adequate?

Controls

Measures implemented by organizations to mitigate risks.

Objectives of Controls

Reliability and integrity of information, compliance with applicable policies, plans, procedures, laws, and regulations, safeguarding of assets, effectiveness and efficiency of operations, and achievement of desired outcomes.

Segregation of duties (SOD)

Ensuring that no single individual can handle all aspects of a transaction or business process inappropriately, thereby preventing potential errors or fraud

Audit trails

Logs that record activities at the system, application, and user levels, serving as an important detective control for security objectives.

Input controls

Identifying all data entering the processing cycle.

Processing controls

Covering edits, error handling, audit trails, and master file changes.

Output controls

Defining how to verify the correctness of reports.

Acceptance testing

Involves a complete end-to-end test of the operational system, including manual procedures

Risk

The possibility of an event occurring that could negatively affect the organisation and its information systems.

Inherent Risk

The susceptibility of an audit area to error without considering related internal controls.

Control Risk

The risk that an error will not be prevented, detected, or corrected on a timely basis by the internal control system.

Detection Risk

The risk that the auditor's procedures will not detect errors.

Audit Risk (Residual Risk)

The auditor's willingness to accept that reports may be materially misstated after the audit

Controllable risks

Risks that exist within the processes of an organisation and that are entirely in the hands of the organisation to mitigate.

Uncontrollable risks

Risks that can arise externally to the organisation and that cannot be directly controlled or influenced but that nevertheless call for a risk position to be taken by the organisation.

Influenceable risks

Risks that arise externally to the organisation but that can be influenced by the organisation.

Control Objectives for Information and Related Technology (COBIT)

Developed by ISACA, is a widely used framework for information systems security and control best practices.

Computer Aided Audit Techniques (CAATs)

CAATs are important tools for achieving sufficient and reliable evidence

Logical access controls

System-based mechanisms that define who or what has access to specific system resources and the permitted transactions and functions.

Physical access controls

Prevent unauthorised physical access or illegal entry, allowing access only to authorised personnel.

Environmental controls

Address external factors that can affect information systems, primarily environmental exposures.

Disaster Recovery

Refers to controls implemented to minimize disruption from disasters that prevent processing and damage data.

Disaster Recovery Plan

A written document outlining procedures for each employee in the event of a disaster.