CHAPTER ONE - INTRODUCTION TO INFORMATION SYSTEM AUDIT

SCOTT CHRISTIAN UNIVERSITY

BACHELOR OF INFORMATION COMMUNICATION TECHNOLOGY

BCT 326: INFORMATION SYSTEMS AUDIT NOTES

CHAPTER ONE: INTRODUCTION TO INFORMATION SYSTEMS (IS) AUDIT

1.1 Introduction

• Definition:

  • Information Systems (IS) Audit: Process of collecting and evaluating evidence to determine if a computer system:

    • Safeguards assets

    • Maintains data integrity

    • Provides relevant and reliable information

    • Achieves organizational goals efficiently

  • IT Audit: An examination of management controls within an IT infrastructure.

  • Evaluates if information systems protect assets and operate effectively.

  • Can be performed alongside financial statement audits, internal audits, or other engagement forms.

Objectives of IS Audit

• Ensure compliance with standards, laws, and regulations.

• Identify potential risks and recommend mitigation actions.

• Evaluate system effectiveness and suggest improvements.

Purpose of IS Audit

• Review and provide feedback, assurances, and suggestions.

• Concerns are categorized into three broad areas:

  • Availability: Ensures systems are accessible and protected against losses.

  • Confidentiality: Limits access to information to authorized users only.

  • Integrity: Ensures information is accurate, reliable, and protected from unauthorized modifications.

Importance of IS Audit

• Ensures security, accuracy, and reliability of an organization’s information systems.

1.2 Role of ISACA in IS Audit

• ISACA (Information Systems Audit and Control Association):

  • A globally recognized organization for IS auditors.

  • Provides certifications, standards, guidelines, and frameworks.

• Key Certifications:

  • CISA (Certified Information Systems Auditor): Validates IS auditing knowledge.

  • CRISC (Certified in Risk and Information Systems Control): Focuses on enterprise IT risk management.

• Guiding Documents:

  • ISACA Standards: Define acceptable IS auditing performance levels.

  • ISACA Guidelines: Detailed guidance for complying with standards.

1.3 IS Audit Process Overview

• Audit Planning:

  • Define the audit's scope, objectives, and criteria.

  • Conduct a preliminary risk assessment.

  • Plan resources and timelines.

• Fieldwork:

  • Collect evidence via observation, testing, and interviews.

  • Assess system controls and compliance.

• Reporting:

  • Prepare a report summarizing findings, conclusions, and recommendations.

• Follow-Up:

  • Ensure management implements corrective actions.

1.4 Key Concepts in IS Audit

• IT Governance: Frameworks ensuring IT supports business objectives.

• Risk Management: Identifying and mitigating IT-related risks.

• Internal Controls: Mechanisms for protecting assets and integrity.

• Compliance: Following relevant laws and regulations.

• Data Integrity and Security: Ensuring accuracy and protection against unauthorized access.

1.5 Types of IT Audits

• Taxonomy of IT audits includes:

  • Technological Innovation Process Audit: Constructs risk profiles for projects.

  • Innovative Comparison Audit: Compares company innovation capabilities against competitors.

  • Technological Position Audit: Reviews current and needed technologies categorized as base, key, pacing, or emerging.

• Other Categories:

  • Systems and Applications Audit: Verification of efficiency and control in systems.

  • Information Processing Facilities Audit: Ensures timely and accurate processing.

  • Systems Development Audit: Assessment of development practices.

  • Management of IT and Enterprise Architecture Audit: Verify IT management efficiency.

  • Client/Server Audit: Ensures telecommunications controls in networks.

1.6 Elements of IS Audit

• Complex nature of information systems includes:

  • Physical and Environmental Review: Focus on security, power, and environmental factors.

  • System Administration Review: Security checks of operating systems and compliance audits.

  • Application Software Review: Analysis of access controls, validations, and business processes.

  • Network Security Review: Evaluates internal and external connections and perimeter security.

  • Business Continuity Review: Examines backup procedures and disaster recovery plans.

  • Data Integrity Review: Scrutinizes data against controls' adequacy.

• Audit Plan Development: Organize audit activities effectively.

1.7 Conclusion

• IS Audit Importance: Critical for alignment of information systems with organizational goals.

• ISACA's Role: Provides standards and guidelines for effective IS auditing.

• Focus Areas: Risk management, control assurance, and compliance are essential in technology-driven businesses.