INFORMATION SYSTEMS AUDITING
Effective management of information and related Information Technology (IT) has become of critical importance to the survival and long-term success of any organization. This has arisen because of the increasing dependence on information and the associated systems that deliver this information, together with the costs and size of future use of IT. As a result, management has a heightened expectation of delivery from IT functions and demands improved quality with a decreased delivery time and improved service levels at reduced costs. In addition, the increasing potential from threats such as information warfare or cyber terrorism has added a new awareness. At the same time, the potential for technology to revolutionize organizations and their business practices create new business opportunities and offer the potential to massively reduce costs.
IS Audit has traditionally been based upon the paradigms that control = management control, that management control starts with governance, that top management can control everything, and that control is imposed.
Today’s business environment suggests that a more appropriate re-engineered paradigm might be that continuous improvement focuses control with owners of the process.
The role of IS Audit must change to reflect this new reality. That IS Audit is ultimately responsible to the organization will not change; however, the owners of the process are becoming the custodians of internal control and not necessarily traditional management structures.
IS Auditors frequently become experts at describing the best design and implementation of all types of controls. IS Auditors are not, however, expected to equal—let alone exceed—the technical and operational expertise pertaining to the various activities of the organization. Nevertheless, they may help the responsible individuals achieve more effective results by appraising the existing controls and providing a basis for helping to improve those controls.
Auditing may take the form of IS, internal, external, and public sector auditing. Internal auditing examines the adequacy and effectiveness of the management system of internal control. The role of the external auditor is primarily one of ensuring the fairness of representation of the financial accounts of the entity audited. Within the public sector, much auditing is aimed at ensuring the effectiveness and efficiency of management processes in order to ensure service delivery. IS Auditing may be used in any of the other areas.
The auditing process is also designed to determine where to audit as well as what to audit, and may use any and all of:
Control Strategy Assessment
Control Adequacy and Effectiveness
Performance Quality Assessment
Unit Performance Reporting
Overall the standards of audit performance must be up to a professional level. For IS Audit, this typically means to a level laid down in the ISACA standards.
IS Auditing responsibilities include the development and implementation of a risk-based IS Audit strategy and objectives in compliance with generally accepted audit standards (GAAS) in order to provide a statement of assurance that the organization’s information technology and business processes are controlled, monitored, and assessed adequately, and are aligned with the organization’s business objectives. This would also facilitate the monitoring of the implementation of risk management and control practices within the organization.
In addition, IS Auditing involves the planning of specific audit to ensure that the IS Audit strategy and objectives are achieved and that information is obtained that is sufficient, reliable, relevant, and useful in order to achieve the audit objectives. This will typically involve the analysis of information gathered in order to identify reportable conditions and reach appropriate conclusions. IS management will be required to review the work performed in order to provide a reasonable assurance that objectives have been achieved. A critical function within IS Auditing is the communication of audit results to key managers and stakeholders.
RELATIONSHIP OF INTERNAL IS AUDIT TO THE EXTERNAL AUDITOR
The external auditor is primarily responsible to the organization and all of its stakeholders. While the external auditor has a statutory responsibility to report on financial matters, IS Auditing forms a key role in achieving that statutory responsibility. As such, while IS Auditing is an integral part of an internal audit function, that must also be seen as an integrated function within the execution of the work of the independent external auditor.
RELATIONSHIP OF IS AUDIT TO OTHER COMPANY AUDIT ACTIVITIES
An understanding of the relationship between IS Auditing and other company audit activities are required in order to fully understand the nature of IS Auditing. The IS Auditor may be seen as an integral part of the IS Audit function, playing an external consultant’s role or playing an internal role but independent of the IS Audit function.
REGULATION, CONTROL, AND STANDARDS
Increasingly, accreditation and audit of IT services must be provided by internal or third parties to ensure that adequate security and control exists. Several evaluation methods exist that can be used to determine adequacy including ITSEC, TCSEC, and IS0 9000 evaluations using standards such as COBIT (Control Objectives for Information and Related Technology), ISO 17799, ITIL (IT Infrastructure Library), COSO Internal Control—Integrated Framework and COSO Enterprise Risk Management—Integrated Framework, and so forth.