INFORMATION SYSTEMS AUDIT
An information technology audit, or information systems audit, is an examination of
the controls within an Information technology (IT) infrastructure. An IT audit is the
process of collecting and evaluating evidence of an organization's information systems,
practices, and operations. The evaluation of obtained evidence determines if the
information systems are safeguarding assets, maintaining data integrity, and operating
effectively and efficiently to achieve the organization's goals or objectives. These reviews
may be performed in conjunction with a financial statement audit, internal audit, or other
form of attestation engagement.
IT audits are also known as automated data processing (ADP) audits and computer audits.
They were formerly called electronic data processing (EDP) audits.
Purpose
An IT audit should not be confused with a financial statement audit. While there may be
some abstract similarities, a financial audit's primary purpose is to evaluate whether an
organization is adhering to standard accounting practices. The primary functions of an IT
audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate
the organization's ability to protect its information assets and properly dispense
information to authorized parties. The IT audit's agenda may be summarized by the
following questions:
Will the organization's computer systems be available for the business at all times
when required? (Availability)
Will the information in the systems be disclosed only to authorized users?
(Confidentiality)
Will the information provided by the system always be accurate, reliable, and
timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in
assessing controls in order to reduce or mitigate these risks. By implementing controls,
the effect of risks can be minimized, but cannot completely eliminate all risks.
Types of IT audits
Various authorities have created differing taxonomies to distinguish the various types of
IT audits. Goodman & Lawless state that there are three specific systematic approaches to
carry out an IT audit [1]:
Technological innovation process audit. The aim of this audit is to
construct a risk profile for existing and new projects. The audit will
assess the length and depth of the company's experience in its chosen
technologies, as well as its presence in relevant markets, the
organization of each project, and the structure of the portion of the
1
, industry that deals with this project or product. organization and
industry structure.
Innovative comparison audit. This audit, as its name implies, means
conducting an analysis of the innovative abilities of the company being
audited, in comparison to its competitors. This requires examination of
company's research and development facilities, as well as its track
record in actually producing new products.
Technological position audit: This audit reviews the technologies that
the business currently has and that it needs to add. Technologies are
characterized as being either "base", "key", "pacing", or "emerging".
Others describe the spectrum of IT audits with five categories of audits:
Systems and Applications: An audit to verify that systems and
applications are appropriate, are efficient, and are adequately controlled to
ensure valid, reliable, timely, and secure input, processing, and output at
all levels of a system's activity.
Information Processing Facilities: An audit to verify that the processing
facility is controlled to ensure timely, accurate, and efficient processing of
applications under normal and potentially disruptive conditions.
Systems Development: An audit to verify that the systems under
development meet the objectives of the organization, and to ensure that the
systems are developed in accordance with generally accepted standards for
systems development.
Management of IT and Enterprise Architecture: An audit to verify that
IT management has developed an organizational structure and procedures
to ensure a controlled and efficient environment for information
processing.
Client/Server, Telecommunications, Intranets, and Extranets: An
audit to verify that controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers.
And some lump all IT audits as being one of only two type: "general control review"
audits or "application control review" audits.
IT Audit Process
Main article: Information Technology Audit Process
The following are basic steps in performing the Information Technology Audit Process:
1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up
2
