Basics

Information Systems Audit: The Basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step.

By Jennifer Bayuk

May 18, 2009 — CSO —

In the early days of computers, many people were suspicious of their ability to replace human beings performing complex tasks. The first business software applications were mostly in the domain of finance and accounting. The numbers from paper statements and receipts were entered into the computer, which would perform calculations and create reports. Computers were audited using sampling techniques. An auditor would collect the original paper statements and receipts, manually perform the calculations used to create each report, and compare the results of the manual calculation with those generated by the computer. In the early days, accountants would often find programming errors, and these were computer audit findings.

However, these exercises also sometimes yielded findings of fraud. Fraud activities ranged from data entry clerks changing check payees to programmers making deliberate rounding errors designed to accumulate cash balances in hidden bank accounts. [Editor's note: For more, see Essential Reading on Fraud.] As auditors recognized repeating patterns of fraud, they recommended a variety of security features designed to automatically prevent, detect, or recover from theft of assets.

As computers became more sophisticated, auditors recognized that they had fewer and fewer findings related to the correctness of calculations and more and more on the side of unauthorized access. Moreover, the checks and balances that were devised to maintain correctness of calculations were implemented as software change control measures. These rely heavily on security to enforce controls over segregation of duties between programming, testing, and deployment staff. This meant that even programming changes relied in some measure for their effectiveness on computer security controls. Nowadays, information systems audit seems almost synonymous with information security control testing.

The Scope of an IS Audit

However, the normal scope of an information systems audit still does cover the entire lifecycle of the technology under scrutiny, including the correctness of computer calculations. The word "scope" is prefaced by "normal" because the scope of an audit is dependent on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may be validating the correctness of the systems calculations, confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, verifying that confidential data is not exposed to unauthorized individuals, and/or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope.