Chapter 1 (the Information System Audit Process)

Information Management and AuditingIS audit process

Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems.

Auditing – defined:Auditing is a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

IS auditing – defined:IS Audit is the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.

WHY IS AUDIT? – “CIA”The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broad heads: Availability:

Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters?

Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else?

Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?

BENEFITS OF IS AUDITING: Strategic Benefits:

o Integrity of Data produced by the Organization.o Enhanced Customer Confidence.

Operational Benefits:o Increased Employee Productivity and Morale.o Integrity of Data enables Management to make informed and accurate

decisions. Financial Benefits:

o Increased Hardware Performance.o Cost of theft of IS Assets is reduced.

Technical Benefits:o Management Decisions on Computer-Processed Data are reliable.o Business Partners trust Organization’s Management Control and distribution of

sensitive Data.

ELEMENTS OF IS AUDIT:An information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the

1Prepared by: Muhammad

Umar Munir


components are evaluated and secured. The major elements of IS audit can be broadly classified:Physical and environmental review:This includes physical security, power supply, air conditioning, humidity control and other environmental factors.

System administration review:This includes security review of the operating systems, database management systems, all system administration procedures and compliance.

Application software review:The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.

Network security review:Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.

Business continuity review:This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.

Data integrity review:The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).

It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.

WHY IS AUDIT? Greater reliance on Information Systems and Technology Growing Concern for Data Security due to Proliferation of technology Legal requirement Complexity of Information Systems and Technology

IS AUDIT PLANNING:Environment understanding is an essential component of IS audit planning. This understanding includes general acquaintance with the related business processes, supporting information system, and regulatory environment.


Umar Munir


These all understanding can be taken by the following: Touring key organizational facilities. Studying manuals. Reviewing strategic plans. Interviewing key management personnel. Reviewing prior reports.IS auditor should consider the resource requirement of audit project and match audit resources to the defined tasks.

AUDIT MISSION:An audit charter should exist to clearly state management’s responsibility, objectives for, and delegation of authority to, IS audit. This document should outline the overall authority, scope and responsibilities of the audit function. The highest level of management should approve this charter and once established, this charter should be changed only if the change can be and is thoroughly justified.

LAWS AND REGULATIONS:Every organization has to operate within a well-defined regulatory requirements and consistent compliance of which is a prerequisite of organizational survival. Following are the steps that an IS auditor would perform so as to ensure the regulatory compliance: Requirements related to ecommerce, data storage, copyrights, EDI etc. Compliance with documentary requirements. Internal control system is in operation as required by law.

STANDARDS:Standards define mandatory requirements for IS auditing and reporting.1) Audit charter:

The responsibility, authority, and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter.

2) Independence:The IS auditor must be able to exercise its assignment on its own initiative in all departments, establishments and functions of the organization. It must be free to report its findings and appraisals and to disclose them. The principle of independence entails that the IS audit department operates under the direct control of either the organization’s chief executive officer or the board of directors or its audit committee (if one exists), depending on the corporate governance framework. Independence also requires that the IS auditors should not have a conflict of interest with the area under audit.

3) Professional ethics and standards:The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association. Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.

4) Competence:The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work. The information systems auditor is to maintain technical competence through appropriate continuing professional education.


Umar Munir


5) Planning:The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards.

6) Performance of audit work:Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.

7) Reporting:The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organisation, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. Contents are:

Introduction Audit objective and scope

Period of audit coverage

Audit nature and extent

Audit procedure Conclusion & Opinion Reservation and

qualification Detailed audit fining

Final Decision Communicate to Management

8) Follow-up activities:The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner.

GUIDELINES:Guidelines provide guidance in applying IS Auditing standards.

PROCEDURES:Procedures provide examples of procedures an IS auditor might follow in an audit engagement.

RISK ANALYSIS:Audit planning also includes risk analysis to identify risks and vulnerabilities that help devise controls to control them. IS auditor has to identify different types of risks associated with information system. The IS auditor is often focused towards a particular class of risks associated with information and the underlying information systems and processes.

The definition of risk is as under:


Umar Munir


“The potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to cause loss or damage to the assets is called a risk.”

Risk is the potential that events, either expectedly or unexpectedly, may have an adverse impact on the organization’s earnings or capital. The existence of risk is not a reason for concern. Rather, auditors must determine if the risks are warranted. Generally, risks are warranted when they are:

Understandable, Controllable, and Within the organization’s capacity to readily withstand adverse performance.

Business risks are those risks that may influence the assets or processes of a specific business or organization. The nature of these risks may be financial, regulatory, or operational and may arise because of the interaction of the business with its environment, or because of the strategies, systems, processes, procedures, and information used by the business.

IT RISKS: Improper use of technology. Repetition of errors. Cascading of errors. Illogical processing. Inability to control

technology. Equipment failure.

Incorrect data entry. Concentration of data.

ELEMENTS OF RISK:Threats to, and vulnerabilities of, processes and / or assets (including both physical and information assets)

Unauthorized access

Hardware failure Utility failure Natural disasters Loss of key

personnel Human errors Tampering Disgruntled

employees Safety of personnel

Impact on assets based on threats and vulnerabilities

Physical destruction of assets

Loss of data Theft of the

information Indirect theft of

assets Delay loss Reduced

productivity & income, extra expense, license penalties etc.

Delay damage/service outage

Fraud via IT Altered or omitted

data Application or file

tampering Unauthorized

disclosure of IT

Probabilities of threats (combination of the likelihood and frequency of occurrence) It means the likelihood of the threat. For example in case of hurricane, Karachi would be more affected than Hyderabad. Therefore, the probability of hurricane at Karachi would be higher than Hyderabad.In the wide area network, the chance of external intrusions is higher than in local area network. These chances would increase if the data were transferred through the Internet than leased line.


Umar Munir


data Accidental,

intentional and malicious acts

Physical theft Petty, insider,

breaking & entering, armed robbery

INTERNAL CONTROL:The purpose to install internal control system is to provide reasonable assurance that organizational objectives will be achieved and undesired risk events are prevented, detected, and corrected on timely basis. Internal control is not solely a procedure or policy that is performed at a certain point in time, but rather it is continually operating at all levels within an organization.

OBJECTIVE OF IS INTERNAL CONTROLS: Security objectives - Safeguarding of assets. Operational objectives - Efficiency and effectiveness of operations. Information objectives - Reliability and completeness of accounting/financial

and management information.o Authorised input.o Accuracy, security, and completeness of information.o Database integrity.

Compliance objectives - Compliance with organizational policies and procedures as well as applicable laws and regulations

ELEMENTS OF INTERNAL CONTROL: Preventive:

Preventive controls are designed to detect problems before they arise. For example, to prevent from accident in plant, it is ensured that only qualified technicians are appointed. Another example could be the use of proper login mechanism before any person is allowed to access the sensitive business data.

Detective:After an error or problem has been occurred, the most important area is to detect the cause. It is generally said that once the causal factor is identified, major part of problem solving process is complete. Variance analysis is considered the one of the most effective detective control to identify and report weaknesses in the overall process.

Corrective:Once detective control has identified the cause of the problem, corrective control comes into play. It intends to adapt processes so as to minimize the future occurrence of the event.

GENERAL CONTROL PROCEDURES:Control procedures include the following: Accounting controls:

Accounting controls are principally concerned with safeguarding assets and providing assurance that the financial statements and the underlying accounting records are reliable. Stated broadly, the accounting function must be kept separate from the custody of assets.


Umar Munir


Operational controls:Operational controls are concerned with day to day operations of an organization to ensure that operations run smoothly. For example, plan maintenance review is scheduled every week so as to avoid breakdown.

Administrative controls:Administrative controls are measures that apply principally to operating efficiency and compliance with established policies. These controls have no direct bearing on the reliability of financial statements and other accounting records. Consequently, administrative controls are not of direct interest to accountants and auditors.

IS CONTROL PROCEDURES:The general control objectives could be translated into IS control objectives. For example, operational control for plant maintenance review could be translated into IS as proper period backup process. IS control procedures include: Access to information system resources. Data processing activities. Physical access controls. Database administration. Network and communication.

PERFORMING AN IS AUDIT:Written audit programs are essential for planning and conducting audits efficiently and effectively. An audit program serves to document pertinent planning information and establishes a set of procedures or steps for the auditors to follow. It identifies audit objectives and contains cross-references to applicable sections of the audit work plan, audit instructions, and audit policy guides.

AUDIT METHODOLOGY:It is a set of documented audit procedures designed to achieve planned audit objectives.

Components: Statement of

scope. Statement of audit

objectives. Statement of work

programs.

AUDIT PHASES:

CLASSIFICATION OF AUDIT:Financial audit:The purpose of a financial audit is to assess the correctness of an organization’s financial statements. A financial audit will often involve detailed, substantive testing. This kind of audit relates to information integrity and reliability.


Umar Munir


Operational audit:An operational audit is designed to evaluate the internal control structure in a given area. IS audits of application controls or of logical security systems, are examples of operational audits.

Integrated auditAn integrated audit combines both financial and operational audit steps. It assesses the overall objectives of an organization, related to financial information and assets safeguarding and efficiency.

Administrative auditIt is oriented to assess issues related with the efficiency of operational productivity within an organization.

Information systems auditThe process of collecting and evaluating evidence to determine whether an information system safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.

Specialized audits:Forensic audits:Audits specialized in discovering fraud and crimes.

RISK BASED AUDIT APPROACH:This approach is used to assess risk and to assist with an IS auditor to either compliance testing or substantive testing. This approach determines the nature and extent of testing. The IS auditor doesn’t just rely on risk; they also rely on internal controls and business knowledge. Following are the elements of a risk based audit approach:

AUDIT RISK:The risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is called audit risk. This risk is reduced by designing and performing audit procedures to obtain sufficient appropriate audit evidence. This risk has two components:1) Risk of material misstatement:

This risk depends on the company and consists of two components:a) Inherent risk:

Inherent risk is the susceptibility of an account balance or class of transaction to misstatement that could be material individually or collectively. Accounts derived from complex estimates are subject to greater uncertainty than accounts from simple, factual data.

b) Control risk:Control risk is the risk that a material misstatement would not be prevented, detected, or corrected by the accounting and internal control systems. The risk is the function of the effectiveness of the design and operation of internal control system in achieving the entity’s objectives relevant to the preparation of financial statements.

2) Detection risk:


Umar Munir


The risk that auditor will fail to detect material misstatement is known as detection risk. This risk related to auditor. Detection risk is the function of the effectiveness of the audit procedures and of its application by the auditor. Due to sampling procedures, this risk cannot be reduced to ZERO.

There is an INVERSE relationship between the two major categories of risk.

RISK ASSESSMENT TECHNIQUES:IS auditor confronts a variety of audit subjects when determining what to audit. Each subject has its respective degree of audit risk. The IS auditor has to evaluate the high risk areas to be audited. The following risk assessment techniques are used by IS auditor:a) Scoring system:

It refers to prioritizing audit based on the evaluating the risk factors. It considers the following factors in setting priority: Technical complexity. Level of control procedures in place. Level of financial loss.

b) Judgment:The audit makes risk assessment on the basis of following factors: Business knowledge. Executive management directives. Historical perspectives. Business goals. Environmental factors.

ADVANTAGES of risk assessment: Helps allocate audit resources. Helps collect relevant information. Provides basis for managing audit departments.

AUDIT OBJECTIVES:It refers to specific goals of the audit which could include the following: Compliance with regulations. CIA of information.

Compliance versus Substantive Testing:Compliance tests: (Test of controls)When the auditor establishes that there were effective internal controls, he is entitled to conclude that financial statements are less likely to be materially misstated than when controls were absent or ineffective. Hence, the need to deeply verify financial statements reduces. It is referred as relying on the system of internal control to reduce substantive testing. These tests seek to provide audit evidence that internal control procedures are being applied as prescribed. Compliance tests show that internal control system is functioning properly.For example, “to satisfy yourself with reasonable confidence that no goods CAN be dispatched without being invoiced” To understand further, let’s take an example:Control is established that each delivery truck coming to the warehouse must be duly recorded before allowing entering. The auditor’s job is to test the operations of this control. If the evidence is that the control is sound and reasonably effective, there is no need to thoroughly examine the data related to incoming deliveries. However, it doesn’t mean that the need is 100% eliminated.


Umar Munir


Control procedures could be classified into two categories: those which provide documentary evidence that they have been performed and those which don’t. Example of each is below: The control that each employee has to swap his card on entering the premise

could be evidence from employee attendance sheet. Audit trail1 could be performed on these sorts of controls. Tests of these controls are performed by examining the underlying documentation.

The control that one of senior manager must be present at the time of delivery of goods worth exceeding Rs.500000 may not be documented. Tests of controls are performed by personnel enquiries and observation by the auditor.

Substantive tests:Substantive tests substantiate the integrity of actual processing. They provide evidence of the validity and propriety of the balances in the financial statements and the transactions that support those balances.The test of account balances, transactions, and other procedures which seek to provide evidence as to the completeness, accuracy, and validity of accounting information.For example, “to satisfy that no material amount of goods HAVE BEEN dispatched without being invoiced”

If the results of testing controls reveal the presence of adequate internal controls, then the IS auditor is justified in minimizing the substantive procedures. However, if the testing controls reveals weaknesses in control that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can be the alternative to have certainty of results.

Example of Compliance & Substantive Testing:When an IS auditor conducts the audit, he first review the company policy for controls and on the basis of result he decide either he will use compliance testing or substantive testing to verify the controls according to the management specified policy. Company policy is to minimum age for hiring of a Brand Manager is 30 years. In manual system auditor has to go through all the personal files of the Brand Manger to verify the compliance of the policy but in computerized system he will check whether the Human Resource Information System (HRIS) has controls for this limitation. It means system must not accept age for the position of Brand Manager below 30 years at the time of input. This testing method is called compliance testing also known as Test of Controls. However, in absence of such controls auditor will review in detail to confirm the validity of the information. This detailed review in which auditor use actual data is called substantive testing e.g. the IS auditor may use CAAT tolls to extract data from the actual database and check the validity of the record.

EVIDENCE:

1 It is the process of accumulation of source documents and records that allows tracing the origination of the event.


Umar Munir


Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives.

Attributes of evidence:The evidence should be presented following the rules of: Relevancy:

Relevancy refers to the relationship of evidence to its use. Competency:

Competency refers to whether evidence is reliable and the best attainable through reasonable methods.

Sufficiency:Sufficiency is the presence of enough factual and convincing evidence to support the audit team’s findings, conclusions, and recommendations.

RELIABLE AUDIT EVIDENCE:The reliability of audit evidence is influenced by its source and nature. With certain exceptions, following generalization as to reliability of audit evidence can be made: Independent, external source. Evidence generated internally under effective controls. Obtained by auditor himself – observation, inspection etc. In documentary form. Original documents.

DETERMINING AUDIT EVIDENCE:Following are the techniques used by IS auditor to collect audit evidence: Reviewing information system organization structures. Reviewing IS policies and procedures. Reviewing IS standards. Reviewing IS documentations. Interviewing appropriate personnel. Observing processes and employees performance.

SAMPLING: Constrained by time and cost, auditor is forced to sampling. First see important terms: Population – all group of items need to be examined. Sample – subset of population.Sampling is used to inferring characteristics about population based on analysis of sample.

APPROACHES:There are two general approaches of sampling:a) Statistical sampling – objective method:

In this method, IS auditor quantitatively determines the sample size.b) Non-statistical sampling – subjective method:

Non-statistical sampling is a sampling technique where auditor uses his judgment instead of statistical techniques for sampling.

METHODS:There are two primary methods of sampling:1) Attribute sampling:

Attribute sampling is generally applied in compliance testing situations and deals with the presence or absence of the attribute and provides conclusions that are


Umar Munir


expressed in rates of incidence. Attribute sampling refers to three different types of sampling:a) Frequency estimating sampling – used to estimate the rate of occurrence

of certain attribute, answers “how many”. (also called fixed sized attribute sampling)

b) Stop-or-go sampling - When relatively few errors are expected to found in population, this sampling model helps prevent excessive sampling.

c) Discovery sampling – when expected occurrence of an item is extremely low, this sampling is used; for example, to detect fraud.

2) Variable sampling (dollar estimation or mean estimation sampling):Variable sampling is generally applied in substantive testing situations and deals with population characteristics that vary, such as dollars and weights, and provides conclusions related to deviations from the norm. Variable sampling is used to estimate the monetary value of some measures. It consists of the following models:a) Stratified mean per unit – a sampling model in which population is divided

into various groups for sampling.b) Uncertified mean per unit – sample is estimated as an expected total.c) Difference estimation – it is used to estimate the total difference between

audited values and unaudited values, based on sample observations.

SELECTING SAMPLE:

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs):CAATs are important tools for an IS auditor to collect audit evidence and perform audit function.

WHY CAATs:CAATs help in: Test of transaction details. Analytical reviews. Compliance testing. O/S vulnerable testing.

CAATs include the following:a) Generalized audit software:

It is standard software capable of accessing data from various database platforms. Following functions are supported by GAS: File access – reading different formats. File organization – indexing, sorting etc. Data selection – filtration. Statistical function – sampling. Arithmetic functions – simple and complex calculations.

b) Utilities program:These are software (DBMS etc) which provide evidence to the auditor about system control effectiveness.

c) Test data:Test data enables auditors to assess whether logic errors exist in a program and whether they meet objectives.


Umar Munir


d) Application software:It provides information about built-in controls in the system.

e) Expert systems:Expert System or Knowledge-based systems add knowledge and reasoning capabilities to information systems.

CONTROL SELF ASSESSMENT:A formal, documented methodology used to review the following: Key business objectives. Risk involved in achieving business objectives. Internal controls.In CSA management and work teams are directly involved in judging and monitoring effectiveness of existing controls.Objectives:The objectives of CSA programs include education for line management in control responsibility and monitoring and concentration by all on areas of high risk. The objectives of CSA programs include the enhancement of audit responsibilities, not replacement of audit responsibilities.

Critical point:The traditional role of an IS auditor in a control self-assessment (CSA) should be of facilitator. When CSA programs are established, IS auditors become internal control professionals and assessment facilitators. IS auditors are the facilitators and the client (management and staff) is the participant in the CSA process. During a CSA workshop, instead of the IS auditor performing detailed audit procedures, they should lead and guide the clients in assessing their environment.

TRADITIONAL CSAControl responsibilities are assigned to auditors or external consultants.Traits: Assigns duties. Policy driven. Limited employee participation. Narrow stakeholder focus. Auditor and other specialists. Reporters.

It emphasizes management and accountability of organization’s critical functions.Traits: Empowered/accountable employees. Learning curve/continuous

improvement. Extensive employee participation. Broad stakeholder focus. All staff is primary control analysts. Reporters.


Umar Munir

Documents

Chapter 1 (the Information System Audit Process)