Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROJECT ON information system audit

Published byCornelia Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "PROJECT ON information system audit"— Presentation transcript:

1 PROJECT ON information system audit
Submitted by: Submitted to:

2 INDEX DEFINITION OF ISA ISA AUDIT SERVICES NEED FOR ISA BENEFITS
IMPORTANCE TYPES CONTROLS IN ISA AUDIT TRAILS

3 OF INFORMATION SYSTEM AUDIT
The effectiveness of an information system’s controls is evaluated through an information systems audit. An audit aims to establish whether information systems are safeguarding corporate assets, maintaining the integrity of stored and communicated data, supporting corporate objectives effectively, and operating efficiently. It is a part of a more general financial audit that verifies an organization’s accounting records and financial statements. Information systems are designed so that every financial transaction can be traced. In other words, an audit trail must exist that can establish where each transaction originated and how it was processed. Aside from financial audits, operational audits are used to evaluate the effectiveness and efficiency of information systems operations, and technological audits verify that information technologies are appropriately chosen, configured, and implemented.

4 ISA provides the following audit services:
IT Governance - IT governance audits include reviewsof the organization’s fiduciary responsibility in satisfying the quality of IT delivery services while aligning with the business objectives and establishing an adequate system of internal controls. Information Systems - Information systems audits focus on security controls of physical and logical security of the server including change control, administration of server accounts, system logging and monitoring, incident handling, system backup and disaster recovery. Control Self-assessments - Control Self-assessments are designed for department that manages and operates a technology environment. These self-assessment tools can be used to identify potential areas of control weakness in the management of the technology environment.

5 Compliance - Compliance audits include University policies and procedures, Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA), Family Education Rights and Privacy Act (FERPA) and any other applicable laws and regulations. Integrated Audits - Integrated audits include reviews of the business operations and their dependency of automated systems to support the business process. We consider information technology and financial and operational processes as mutually dependent for establishing an effective and efficient control environment. From the technology perspective, the audit focuses on application controls, administration of user access, application change control and backup and recovery to assure reliability, integrity and availability of the data.

6 Need for Audit of Information System
Factors influencing an organization toward controls and audit of computers and the impact of the information systems audit function on organizations are depicted here under: Organization Costs of Data loss : Date is a critical resource of an organization for its present and future process and its ability to adapt and survive in a changing environment. Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of the process. Costs of Computer Abuse: Unauthorised access to computer systems, malwares, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets. Value of Computer Hardware, Software and Personnel: These are critical resources of an organization, which has a credible impact on its infrastructure and business competitiveness.

7 Cont… High Costs of Computer Error: In a computerized enterprise environment where many critical business processes are performed, a data error during entry or process would cause great damage. Maintenance of privacy: Today, data collected in a business process contrains private information about an individual too. Controlled evolution of computer use: Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive. Information systems Auditing: It is the process of attesting objectives (those of the external auditor) that focus on asset safeguarding and data integrity, and management objectives.

8 Cont… Data Integrity Objectives: It is a fundamental attribute of IS auditing. The importance to maintain integrity of data of an organization requires all the time. System Effectiveness objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet business and user requirements. System Efficiency objectives: To optimize the use of various information system resources along with the impact on its computing environment. Asset Safeguarding objectives: The information system assets (hardware, software, data information etc.) must be protected by a system of internal controls from unauthorized access.

9 Benefits "Systems do not have a 'life cycle.' They may go on forever if kept viable with change. The only thing that has a 'life cycle' is a project which has a beginning for planning, a middle for execution, and an end for review."  - Bryce's Law

10 Cont… Auditing in Information system is increasing day by day and becoming the focal point of the independent audit, compliance audit, and operational audits. Through Auditing the Organization get benefits in many ways, which are as under: Standardization.  • Improve business efficiency. • Improve system and process controls.  • Plan for contingencies and disaster recovery.  • Manage information & developing systems.  • Prepare for the independent audit.  • Evaluating the effectiveness and efficiency related to the use of resources.  • Reduce risk and enhance system security • Prevent and detect errors as well as fraud. 

11 Types There are three types of information system audits: audit carried out in support of a financial statements audit, audit to evaluate compliance to applicable laws, policies and standards related to IT, and finally an IT audit can also be a performance (or value-for-money) audit. The objectives of this audit include finding out if there are any excesses, inefficiency and wastage in the use and management of IT systems. This audit is carried out to assure the stakeholders that the IT system in place is value for the money invested in it.

12 The Importance of Information Systems Audit
Organizations today operate in a dynamic global multi-enterprise environment with team-oriented collaboration and place very stringent requirements on the telecommunications network. Many organizations, no matter their size or scope of operation, have come to realize the importance of using information technology to stay ahead in the current global scenario. Companies have invested in information systems because they recognize the numerous benefits IT can bring to their operations. Management should realize the need to ensure IT systems are reliable, secure and invulnerable to computer attacks. The importance of information security is to ensure data confidentiality, integrity and availability.

13 Confidentiality of data means protecting the information from disclosure to unauthorized parties. Information such as bank account statements, trade secrets, personal information should be kept private and confidential. Protecting this information is a major part of information security. An information systems audit would therefore ensure that the organization’s data is confidentially stored, that data integrity is ensured and data is available at all times for the authorized users.

14 Controls in ISA While asking to a auditor about the controls, the key highlights is “what are the key things an auditor needs to consider while evaluating the said controls?” Various general controls are given as follows: Operating System Controls Data management controls Organizational structure controls System Development Controls System Maintenance Controls Computer Centre Security Controls Internet & Intranet Controls Personal Computers Controls

15 Audit Trails Audit trail controls attempt to ensure that a chronological record of all events that have occurred in a system is maintained. This record is needed to answer queries, fulfill statutory requirements, detect the consequences of error and allow system monitoring and tuning. Objective of audit trail is to obtain sufficient evidence matter regarding the reliability and integrity of the application system. To achieve this, the audit trail should contain enough information to allow management, the auditor and the user: to recreate processing action; to verify summary totals and to trace the sources of intentional and unintentional errors.

16 The audit trail should include the following information:
System information including start up time, stop time, restarts, recovery etc. Transaction information including input items which change the database, control totals and rejected items (relevant to database applications). Communication information including terminal log-on/off, password use, security violation, network changes and transmission statistics (relevant to transaction processing i.e. TP applications). Objectives: Detecting unauthorized access to the system, Facilitating the reconstruction of events, and Promoting personal accountability

17 Detecting Unauthorized Access:
Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed.

18 Reconstructing Events
Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situation in the future. For example, b maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure.

19 Personal Accountability:
Audit trails can be used to monitor user activity at the lowest level of detail This capability is a preventive control that can be used to influence behavior. Individuals are likely to violate an organization’s security policy if they know that their actions are not recorded in an audit log.

20 Conclusion: The computer is changing the world. Business operations are also changing, sometimes very rapidly, because of the fast continuing improvement of technology. For the IT auditor, the need for audit, security, and control will be critical in the areas of IT and will be the challenge of this millennium. There are many challenges ahead; everyone must work together to design, implement, and safeguard the integration of these technologies in the workplace.

Download ppt "PROJECT ON information system audit"

Similar presentations

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Concepts.

Auditing Concepts.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.

1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.

Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Similar presentations

Ads by Google